cryptfs.c revision 731a7a242df6cc3441ac82b4f9521546fac5ac2d
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <openssl/sha.h> 40#include <errno.h> 41#include <ext4.h> 42#include <linux/kdev_t.h> 43#include <fs_mgr.h> 44#include <time.h> 45#include <math.h> 46#include "cryptfs.h" 47#define LOG_TAG "Cryptfs" 48#include "cutils/log.h" 49#include "cutils/properties.h" 50#include "cutils/android_reboot.h" 51#include "hardware_legacy/power.h" 52#include <logwrap/logwrap.h> 53#include "VolumeManager.h" 54#include "VoldUtil.h" 55#include "crypto_scrypt.h" 56#include "Ext4Crypt.h" 57#include "ext4_crypt_init_extensions.h" 58#include "ext4_utils.h" 59#include "f2fs_sparseblock.h" 60#include "CheckBattery.h" 61#include "Process.h" 62 63#include <hardware/keymaster0.h> 64 65#define UNUSED __attribute__((unused)) 66 67#define UNUSED __attribute__((unused)) 68 69#ifdef CONFIG_HW_DISK_ENCRYPTION 70#include "cryptfs_hw.h" 71#endif 72 73#define DM_CRYPT_BUF_SIZE 4096 74 75#define HASH_COUNT 2000 76#define KEY_LEN_BYTES 16 77#define IV_LEN_BYTES 16 78 79#define KEY_IN_FOOTER "footer" 80 81// "default_password" encoded into hex (d=0x64 etc) 82#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264" 83 84#define EXT4_FS 1 85#define F2FS_FS 2 86 87#define TABLE_LOAD_RETRIES 10 88 89#define RSA_KEY_SIZE 2048 90#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 91#define RSA_EXPONENT 0x10001 92 93#define RETRY_MOUNT_ATTEMPTS 10 94#define RETRY_MOUNT_DELAY_SECONDS 1 95 96char *me = "cryptfs"; 97 98static unsigned char saved_master_key[KEY_LEN_BYTES]; 99static char *saved_mount_point; 100static int master_key_saved = 0; 101static struct crypt_persist_data *persist_data = NULL; 102 103static int keymaster_init(keymaster0_device_t **keymaster_dev) 104{ 105 int rc; 106 107 const hw_module_t* mod; 108 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 109 if (rc) { 110 ALOGE("could not find any keystore module"); 111 goto out; 112 } 113 114 rc = keymaster0_open(mod, keymaster_dev); 115 if (rc) { 116 ALOGE("could not open keymaster device in %s (%s)", 117 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 118 goto out; 119 } 120 121 return 0; 122 123out: 124 *keymaster_dev = NULL; 125 return rc; 126} 127 128/* Should we use keymaster? */ 129static int keymaster_check_compatibility() 130{ 131 keymaster0_device_t *keymaster_dev = 0; 132 int rc = 0; 133 134 if (keymaster_init(&keymaster_dev)) { 135 SLOGE("Failed to init keymaster"); 136 rc = -1; 137 goto out; 138 } 139 140 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version); 141 142 if (keymaster_dev->common.module->module_api_version 143 < KEYMASTER_MODULE_API_VERSION_0_3) { 144 rc = 0; 145 goto out; 146 } 147 148 if (!(keymaster_dev->flags & KEYMASTER_SOFTWARE_ONLY) && 149 (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) { 150 rc = 1; 151 } 152 153out: 154 keymaster0_close(keymaster_dev); 155 return rc; 156} 157 158/* Create a new keymaster key and store it in this footer */ 159static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 160{ 161 uint8_t* key = 0; 162 keymaster0_device_t *keymaster_dev = 0; 163 164 if (keymaster_init(&keymaster_dev)) { 165 SLOGE("Failed to init keymaster"); 166 return -1; 167 } 168 169 int rc = 0; 170 171 keymaster_rsa_keygen_params_t params; 172 memset(¶ms, '\0', sizeof(params)); 173 params.public_exponent = RSA_EXPONENT; 174 params.modulus_size = RSA_KEY_SIZE; 175 176 size_t key_size; 177 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms, 178 &key, &key_size)) { 179 SLOGE("Failed to generate keypair"); 180 rc = -1; 181 goto out; 182 } 183 184 if (key_size > KEYMASTER_BLOB_SIZE) { 185 SLOGE("Keymaster key too large for crypto footer"); 186 rc = -1; 187 goto out; 188 } 189 190 memcpy(ftr->keymaster_blob, key, key_size); 191 ftr->keymaster_blob_size = key_size; 192 193out: 194 keymaster0_close(keymaster_dev); 195 free(key); 196 return rc; 197} 198 199/* This signs the given object using the keymaster key. */ 200static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 201 const unsigned char *object, 202 const size_t object_size, 203 unsigned char **signature, 204 size_t *signature_size) 205{ 206 int rc = 0; 207 keymaster0_device_t *keymaster_dev = 0; 208 if (keymaster_init(&keymaster_dev)) { 209 SLOGE("Failed to init keymaster"); 210 return -1; 211 } 212 213 /* We currently set the digest type to DIGEST_NONE because it's the 214 * only supported value for keymaster. A similar issue exists with 215 * PADDING_NONE. Long term both of these should likely change. 216 */ 217 keymaster_rsa_sign_params_t params; 218 params.digest_type = DIGEST_NONE; 219 params.padding_type = PADDING_NONE; 220 221 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 222 size_t to_sign_size = sizeof(to_sign); 223 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 224 225 // To sign a message with RSA, the message must satisfy two 226 // constraints: 227 // 228 // 1. The message, when interpreted as a big-endian numeric value, must 229 // be strictly less than the public modulus of the RSA key. Note 230 // that because the most significant bit of the public modulus is 231 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 232 // key), an n-bit message with most significant bit 0 always 233 // satisfies this requirement. 234 // 235 // 2. The message must have the same length in bits as the public 236 // modulus of the RSA key. This requirement isn't mathematically 237 // necessary, but is necessary to ensure consistency in 238 // implementations. 239 switch (ftr->kdf_type) { 240 case KDF_SCRYPT_KEYMASTER: 241 // This ensures the most significant byte of the signed message 242 // is zero. We could have zero-padded to the left instead, but 243 // this approach is slightly more robust against changes in 244 // object size. However, it's still broken (but not unusably 245 // so) because we really should be using a proper RSA padding 246 // function, such as OAEP. 247 // 248 // TODO(paullawrence): When keymaster 0.4 is available, change 249 // this to use the padding options it provides. 250 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 251 SLOGI("Signing safely-padded object"); 252 break; 253 default: 254 SLOGE("Unknown KDF type %d", ftr->kdf_type); 255 return -1; 256 } 257 258 rc = keymaster_dev->sign_data(keymaster_dev, 259 ¶ms, 260 ftr->keymaster_blob, 261 ftr->keymaster_blob_size, 262 to_sign, 263 to_sign_size, 264 signature, 265 signature_size); 266 267 keymaster0_close(keymaster_dev); 268 return rc; 269} 270 271/* Store password when userdata is successfully decrypted and mounted. 272 * Cleared by cryptfs_clear_password 273 * 274 * To avoid a double prompt at boot, we need to store the CryptKeeper 275 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 276 * Since the entire framework is torn down and rebuilt after encryption, 277 * we have to use a daemon or similar to store the password. Since vold 278 * is secured against IPC except from system processes, it seems a reasonable 279 * place to store this. 280 * 281 * password should be cleared once it has been used. 282 * 283 * password is aged out after password_max_age_seconds seconds. 284 */ 285static char* password = 0; 286static int password_expiry_time = 0; 287static const int password_max_age_seconds = 60; 288 289extern struct fstab *fstab; 290 291enum RebootType {reboot, recovery, shutdown}; 292static void cryptfs_reboot(enum RebootType rt) 293{ 294 switch(rt) { 295 case reboot: 296 property_set(ANDROID_RB_PROPERTY, "reboot"); 297 break; 298 299 case recovery: 300 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 301 break; 302 303 case shutdown: 304 property_set(ANDROID_RB_PROPERTY, "shutdown"); 305 break; 306 } 307 308 sleep(20); 309 310 /* Shouldn't get here, reboot should happen before sleep times out */ 311 return; 312} 313 314static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 315{ 316 memset(io, 0, dataSize); 317 io->data_size = dataSize; 318 io->data_start = sizeof(struct dm_ioctl); 319 io->version[0] = 4; 320 io->version[1] = 0; 321 io->version[2] = 0; 322 io->flags = flags; 323 if (name) { 324 strlcpy(io->name, name, sizeof(io->name)); 325 } 326} 327 328/** 329 * Gets the default device scrypt parameters for key derivation time tuning. 330 * The parameters should lead to about one second derivation time for the 331 * given device. 332 */ 333static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 334 const int default_params[] = SCRYPT_DEFAULTS; 335 int params[] = SCRYPT_DEFAULTS; 336 char paramstr[PROPERTY_VALUE_MAX]; 337 char *token; 338 char *saveptr; 339 int i; 340 341 property_get(SCRYPT_PROP, paramstr, ""); 342 if (paramstr[0] != '\0') { 343 /* 344 * The token we're looking for should be three integers separated by 345 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 346 */ 347 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 348 token != NULL && i < 3; 349 i++, token = strtok_r(NULL, ":", &saveptr)) { 350 char *endptr; 351 params[i] = strtol(token, &endptr, 10); 352 353 /* 354 * Check that there was a valid number and it's 8-bit. If not, 355 * break out and the end check will take the default values. 356 */ 357 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 358 break; 359 } 360 } 361 362 /* 363 * If there were not enough tokens or a token was malformed (not an 364 * integer), it will end up here and the default parameters can be 365 * taken. 366 */ 367 if ((i != 3) || (token != NULL)) { 368 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 369 memcpy(params, default_params, sizeof(params)); 370 } 371 } 372 373 ftr->N_factor = params[0]; 374 ftr->r_factor = params[1]; 375 ftr->p_factor = params[2]; 376} 377 378static unsigned int get_fs_size(char *dev) 379{ 380 int fd, block_size; 381 struct ext4_super_block sb; 382 off64_t len; 383 384 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) { 385 SLOGE("Cannot open device to get filesystem size "); 386 return 0; 387 } 388 389 if (lseek64(fd, 1024, SEEK_SET) < 0) { 390 SLOGE("Cannot seek to superblock"); 391 return 0; 392 } 393 394 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 395 SLOGE("Cannot read superblock"); 396 return 0; 397 } 398 399 close(fd); 400 401 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 402 SLOGE("Not a valid ext4 superblock"); 403 return 0; 404 } 405 block_size = 1024 << sb.s_log_block_size; 406 /* compute length in bytes */ 407 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 408 409 /* return length in sectors */ 410 return (unsigned int) (len / 512); 411} 412 413static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 414{ 415 static int cached_data = 0; 416 static off64_t cached_off = 0; 417 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 418 int fd; 419 char key_loc[PROPERTY_VALUE_MAX]; 420 char real_blkdev[PROPERTY_VALUE_MAX]; 421 int rc = -1; 422 423 if (!cached_data) { 424 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 425 426 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 427 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 428 SLOGE("Cannot open real block device %s\n", real_blkdev); 429 return -1; 430 } 431 432 unsigned long nr_sec = 0; 433 get_blkdev_size(fd, &nr_sec); 434 if (nr_sec != 0) { 435 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 436 * encryption info footer and key, and plenty of bytes to spare for future 437 * growth. 438 */ 439 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 440 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 441 cached_data = 1; 442 } else { 443 SLOGE("Cannot get size of block device %s\n", real_blkdev); 444 } 445 close(fd); 446 } else { 447 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 448 cached_off = 0; 449 cached_data = 1; 450 } 451 } 452 453 if (cached_data) { 454 if (metadata_fname) { 455 *metadata_fname = cached_metadata_fname; 456 } 457 if (off) { 458 *off = cached_off; 459 } 460 rc = 0; 461 } 462 463 return rc; 464} 465 466/* key or salt can be NULL, in which case just skip writing that value. Useful to 467 * update the failed mount count but not change the key. 468 */ 469static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 470{ 471 int fd; 472 unsigned int cnt; 473 /* starting_off is set to the SEEK_SET offset 474 * where the crypto structure starts 475 */ 476 off64_t starting_off; 477 int rc = -1; 478 char *fname = NULL; 479 struct stat statbuf; 480 481 if (get_crypt_ftr_info(&fname, &starting_off)) { 482 SLOGE("Unable to get crypt_ftr_info\n"); 483 return -1; 484 } 485 if (fname[0] != '/') { 486 SLOGE("Unexpected value for crypto key location\n"); 487 return -1; 488 } 489 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) { 490 SLOGE("Cannot open footer file %s for put\n", fname); 491 return -1; 492 } 493 494 /* Seek to the start of the crypt footer */ 495 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 496 SLOGE("Cannot seek to real block device footer\n"); 497 goto errout; 498 } 499 500 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 501 SLOGE("Cannot write real block device footer\n"); 502 goto errout; 503 } 504 505 fstat(fd, &statbuf); 506 /* If the keys are kept on a raw block device, do not try to truncate it. */ 507 if (S_ISREG(statbuf.st_mode)) { 508 if (ftruncate(fd, 0x4000)) { 509 SLOGE("Cannot set footer file size\n"); 510 goto errout; 511 } 512 } 513 514 /* Success! */ 515 rc = 0; 516 517errout: 518 close(fd); 519 return rc; 520 521} 522 523static inline int unix_read(int fd, void* buff, int len) 524{ 525 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 526} 527 528static inline int unix_write(int fd, const void* buff, int len) 529{ 530 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 531} 532 533static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 534{ 535 memset(pdata, 0, len); 536 pdata->persist_magic = PERSIST_DATA_MAGIC; 537 pdata->persist_valid_entries = 0; 538} 539 540/* A routine to update the passed in crypt_ftr to the lastest version. 541 * fd is open read/write on the device that holds the crypto footer and persistent 542 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 543 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 544 */ 545static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 546{ 547 int orig_major = crypt_ftr->major_version; 548 int orig_minor = crypt_ftr->minor_version; 549 550 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 551 struct crypt_persist_data *pdata; 552 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 553 554 SLOGW("upgrading crypto footer to 1.1"); 555 556 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 557 if (pdata == NULL) { 558 SLOGE("Cannot allocate persisent data\n"); 559 return; 560 } 561 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 562 563 /* Need to initialize the persistent data area */ 564 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 565 SLOGE("Cannot seek to persisent data offset\n"); 566 free(pdata); 567 return; 568 } 569 /* Write all zeros to the first copy, making it invalid */ 570 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 571 572 /* Write a valid but empty structure to the second copy */ 573 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 574 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 575 576 /* Update the footer */ 577 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 578 crypt_ftr->persist_data_offset[0] = pdata_offset; 579 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 580 crypt_ftr->minor_version = 1; 581 free(pdata); 582 } 583 584 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 585 SLOGW("upgrading crypto footer to 1.2"); 586 /* But keep the old kdf_type. 587 * It will get updated later to KDF_SCRYPT after the password has been verified. 588 */ 589 crypt_ftr->kdf_type = KDF_PBKDF2; 590 get_device_scrypt_params(crypt_ftr); 591 crypt_ftr->minor_version = 2; 592 } 593 594 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 595 SLOGW("upgrading crypto footer to 1.3"); 596 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 597 crypt_ftr->minor_version = 3; 598 } 599 600 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 601 if (lseek64(fd, offset, SEEK_SET) == -1) { 602 SLOGE("Cannot seek to crypt footer\n"); 603 return; 604 } 605 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 606 } 607} 608 609 610static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 611{ 612 int fd; 613 unsigned int cnt; 614 off64_t starting_off; 615 int rc = -1; 616 char *fname = NULL; 617 struct stat statbuf; 618 619 if (get_crypt_ftr_info(&fname, &starting_off)) { 620 SLOGE("Unable to get crypt_ftr_info\n"); 621 return -1; 622 } 623 if (fname[0] != '/') { 624 SLOGE("Unexpected value for crypto key location\n"); 625 return -1; 626 } 627 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) { 628 SLOGE("Cannot open footer file %s for get\n", fname); 629 return -1; 630 } 631 632 /* Make sure it's 16 Kbytes in length */ 633 fstat(fd, &statbuf); 634 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 635 SLOGE("footer file %s is not the expected size!\n", fname); 636 goto errout; 637 } 638 639 /* Seek to the start of the crypt footer */ 640 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 641 SLOGE("Cannot seek to real block device footer\n"); 642 goto errout; 643 } 644 645 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 646 SLOGE("Cannot read real block device footer\n"); 647 goto errout; 648 } 649 650 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 651 SLOGE("Bad magic for real block device %s\n", fname); 652 goto errout; 653 } 654 655 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 656 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 657 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 658 goto errout; 659 } 660 661 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 662 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 663 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 664 } 665 666 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 667 * copy on disk before returning. 668 */ 669 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 670 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 671 } 672 673 /* Success! */ 674 rc = 0; 675 676errout: 677 close(fd); 678 return rc; 679} 680 681static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 682{ 683 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 684 crypt_ftr->persist_data_offset[1]) { 685 SLOGE("Crypt_ftr persist data regions overlap"); 686 return -1; 687 } 688 689 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 690 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 691 return -1; 692 } 693 694 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 695 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 696 CRYPT_FOOTER_OFFSET) { 697 SLOGE("Persistent data extends past crypto footer"); 698 return -1; 699 } 700 701 return 0; 702} 703 704static int load_persistent_data(void) 705{ 706 struct crypt_mnt_ftr crypt_ftr; 707 struct crypt_persist_data *pdata = NULL; 708 char encrypted_state[PROPERTY_VALUE_MAX]; 709 char *fname; 710 int found = 0; 711 int fd; 712 int ret; 713 int i; 714 715 if (persist_data) { 716 /* Nothing to do, we've already loaded or initialized it */ 717 return 0; 718 } 719 720 721 /* If not encrypted, just allocate an empty table and initialize it */ 722 property_get("ro.crypto.state", encrypted_state, ""); 723 if (strcmp(encrypted_state, "encrypted") ) { 724 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 725 if (pdata) { 726 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 727 persist_data = pdata; 728 return 0; 729 } 730 return -1; 731 } 732 733 if(get_crypt_ftr_and_key(&crypt_ftr)) { 734 return -1; 735 } 736 737 if ((crypt_ftr.major_version < 1) 738 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 739 SLOGE("Crypt_ftr version doesn't support persistent data"); 740 return -1; 741 } 742 743 if (get_crypt_ftr_info(&fname, NULL)) { 744 return -1; 745 } 746 747 ret = validate_persistent_data_storage(&crypt_ftr); 748 if (ret) { 749 return -1; 750 } 751 752 fd = open(fname, O_RDONLY|O_CLOEXEC); 753 if (fd < 0) { 754 SLOGE("Cannot open %s metadata file", fname); 755 return -1; 756 } 757 758 if (persist_data == NULL) { 759 pdata = malloc(crypt_ftr.persist_data_size); 760 if (pdata == NULL) { 761 SLOGE("Cannot allocate memory for persistent data"); 762 goto err; 763 } 764 } 765 766 for (i = 0; i < 2; i++) { 767 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 768 SLOGE("Cannot seek to read persistent data on %s", fname); 769 goto err2; 770 } 771 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 772 SLOGE("Error reading persistent data on iteration %d", i); 773 goto err2; 774 } 775 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 776 found = 1; 777 break; 778 } 779 } 780 781 if (!found) { 782 SLOGI("Could not find valid persistent data, creating"); 783 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 784 } 785 786 /* Success */ 787 persist_data = pdata; 788 close(fd); 789 return 0; 790 791err2: 792 free(pdata); 793 794err: 795 close(fd); 796 return -1; 797} 798 799static int save_persistent_data(void) 800{ 801 struct crypt_mnt_ftr crypt_ftr; 802 struct crypt_persist_data *pdata; 803 char *fname; 804 off64_t write_offset; 805 off64_t erase_offset; 806 int fd; 807 int ret; 808 809 if (persist_data == NULL) { 810 SLOGE("No persistent data to save"); 811 return -1; 812 } 813 814 if(get_crypt_ftr_and_key(&crypt_ftr)) { 815 return -1; 816 } 817 818 if ((crypt_ftr.major_version < 1) 819 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 820 SLOGE("Crypt_ftr version doesn't support persistent data"); 821 return -1; 822 } 823 824 ret = validate_persistent_data_storage(&crypt_ftr); 825 if (ret) { 826 return -1; 827 } 828 829 if (get_crypt_ftr_info(&fname, NULL)) { 830 return -1; 831 } 832 833 fd = open(fname, O_RDWR|O_CLOEXEC); 834 if (fd < 0) { 835 SLOGE("Cannot open %s metadata file", fname); 836 return -1; 837 } 838 839 pdata = malloc(crypt_ftr.persist_data_size); 840 if (pdata == NULL) { 841 SLOGE("Cannot allocate persistant data"); 842 goto err; 843 } 844 845 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 846 SLOGE("Cannot seek to read persistent data on %s", fname); 847 goto err2; 848 } 849 850 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 851 SLOGE("Error reading persistent data before save"); 852 goto err2; 853 } 854 855 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 856 /* The first copy is the curent valid copy, so write to 857 * the second copy and erase this one */ 858 write_offset = crypt_ftr.persist_data_offset[1]; 859 erase_offset = crypt_ftr.persist_data_offset[0]; 860 } else { 861 /* The second copy must be the valid copy, so write to 862 * the first copy, and erase the second */ 863 write_offset = crypt_ftr.persist_data_offset[0]; 864 erase_offset = crypt_ftr.persist_data_offset[1]; 865 } 866 867 /* Write the new copy first, if successful, then erase the old copy */ 868 if (lseek64(fd, write_offset, SEEK_SET) < 0) { 869 SLOGE("Cannot seek to write persistent data"); 870 goto err2; 871 } 872 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 873 (int) crypt_ftr.persist_data_size) { 874 if (lseek64(fd, erase_offset, SEEK_SET) < 0) { 875 SLOGE("Cannot seek to erase previous persistent data"); 876 goto err2; 877 } 878 fsync(fd); 879 memset(pdata, 0, crypt_ftr.persist_data_size); 880 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 881 (int) crypt_ftr.persist_data_size) { 882 SLOGE("Cannot write to erase previous persistent data"); 883 goto err2; 884 } 885 fsync(fd); 886 } else { 887 SLOGE("Cannot write to save persistent data"); 888 goto err2; 889 } 890 891 /* Success */ 892 free(pdata); 893 close(fd); 894 return 0; 895 896err2: 897 free(pdata); 898err: 899 close(fd); 900 return -1; 901} 902 903static int hexdigit (char c) 904{ 905 if (c >= '0' && c <= '9') return c - '0'; 906 c = tolower(c); 907 if (c >= 'a' && c <= 'f') return c - 'a' + 10; 908 return -1; 909} 910 911static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii, 912 unsigned int* out_keysize) 913{ 914 unsigned int i; 915 *out_keysize = 0; 916 917 size_t size = strlen (master_key_ascii); 918 if (size % 2) { 919 SLOGE("Trying to convert ascii string of odd length"); 920 return NULL; 921 } 922 923 unsigned char* master_key = (unsigned char*) malloc(size / 2); 924 if (master_key == 0) { 925 SLOGE("Cannot allocate"); 926 return NULL; 927 } 928 929 for (i = 0; i < size; i += 2) { 930 int high_nibble = hexdigit (master_key_ascii[i]); 931 int low_nibble = hexdigit (master_key_ascii[i + 1]); 932 933 if(high_nibble < 0 || low_nibble < 0) { 934 SLOGE("Invalid hex string"); 935 free (master_key); 936 return NULL; 937 } 938 939 master_key[*out_keysize] = high_nibble * 16 + low_nibble; 940 (*out_keysize)++; 941 } 942 943 return master_key; 944} 945 946/* Convert a binary key of specified length into an ascii hex string equivalent, 947 * without the leading 0x and with null termination 948 */ 949static void convert_key_to_hex_ascii(const unsigned char *master_key, 950 unsigned int keysize, char *master_key_ascii) { 951 unsigned int i, a; 952 unsigned char nibble; 953 954 for (i=0, a=0; i<keysize; i++, a+=2) { 955 /* For each byte, write out two ascii hex digits */ 956 nibble = (master_key[i] >> 4) & 0xf; 957 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 958 959 nibble = master_key[i] & 0xf; 960 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 961 } 962 963 /* Add the null termination */ 964 master_key_ascii[a] = '\0'; 965 966} 967 968static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, 969 const unsigned char *master_key, const char *real_blk_name, 970 const char *name, int fd, const char *extra_params) { 971 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE]; 972 struct dm_ioctl *io; 973 struct dm_target_spec *tgt; 974 char *crypt_params; 975 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 976 int i; 977 978 io = (struct dm_ioctl *) buffer; 979 980 /* Load the mapping table for this device */ 981 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 982 983 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 984 io->target_count = 1; 985 tgt->status = 0; 986 tgt->sector_start = 0; 987 tgt->length = crypt_ftr->fs_size; 988#ifdef CONFIG_HW_DISK_ENCRYPTION 989 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 990 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME); 991 } 992 else { 993 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 994 } 995#else 996 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 997#endif 998 999 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 1000 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 1001 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 1002 master_key_ascii, real_blk_name, extra_params); 1003 crypt_params += strlen(crypt_params) + 1; 1004 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 1005 tgt->next = crypt_params - buffer; 1006 1007 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1008 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1009 break; 1010 } 1011 usleep(500000); 1012 } 1013 1014 if (i == TABLE_LOAD_RETRIES) { 1015 /* We failed to load the table, return an error */ 1016 return -1; 1017 } else { 1018 return i + 1; 1019 } 1020} 1021 1022 1023static int get_dm_crypt_version(int fd, const char *name, int *version) 1024{ 1025 char buffer[DM_CRYPT_BUF_SIZE]; 1026 struct dm_ioctl *io; 1027 struct dm_target_versions *v; 1028 1029 io = (struct dm_ioctl *) buffer; 1030 1031 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1032 1033 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1034 return -1; 1035 } 1036 1037 /* Iterate over the returned versions, looking for name of "crypt". 1038 * When found, get and return the version. 1039 */ 1040 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1041 while (v->next) { 1042#ifdef CONFIG_HW_DISK_ENCRYPTION 1043 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) { 1044#else 1045 if (! strcmp(v->name, "crypt")) { 1046#endif 1047 /* We found the crypt driver, return the version, and get out */ 1048 version[0] = v->version[0]; 1049 version[1] = v->version[1]; 1050 version[2] = v->version[2]; 1051 return 0; 1052 } 1053 v = (struct dm_target_versions *)(((char *)v) + v->next); 1054 } 1055 1056 return -1; 1057} 1058 1059static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, 1060 const unsigned char *master_key, const char *real_blk_name, 1061 char *crypto_blk_name, const char *name) { 1062 char buffer[DM_CRYPT_BUF_SIZE]; 1063 struct dm_ioctl *io; 1064 unsigned int minor; 1065 int fd=0; 1066 int retval = -1; 1067 int version[3]; 1068 char *extra_params; 1069 int load_count; 1070 1071 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) { 1072 SLOGE("Cannot open device-mapper\n"); 1073 goto errout; 1074 } 1075 1076 io = (struct dm_ioctl *) buffer; 1077 1078 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1079 if (ioctl(fd, DM_DEV_CREATE, io)) { 1080 SLOGE("Cannot create dm-crypt device\n"); 1081 goto errout; 1082 } 1083 1084 /* Get the device status, in particular, the name of it's device file */ 1085 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1086 if (ioctl(fd, DM_DEV_STATUS, io)) { 1087 SLOGE("Cannot retrieve dm-crypt device status\n"); 1088 goto errout; 1089 } 1090 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1091 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1092 1093 extra_params = ""; 1094 if (! get_dm_crypt_version(fd, name, version)) { 1095 /* Support for allow_discards was added in version 1.11.0 */ 1096 if ((version[0] >= 2) || 1097 ((version[0] == 1) && (version[1] >= 11))) { 1098 extra_params = "1 allow_discards"; 1099 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1100 } 1101 } 1102 1103 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1104 fd, extra_params); 1105 if (load_count < 0) { 1106 SLOGE("Cannot load dm-crypt mapping table.\n"); 1107 goto errout; 1108 } else if (load_count > 1) { 1109 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1110 } 1111 1112 /* Resume this device to activate it */ 1113 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1114 1115 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1116 SLOGE("Cannot resume the dm-crypt device\n"); 1117 goto errout; 1118 } 1119 1120 /* We made it here with no errors. Woot! */ 1121 retval = 0; 1122 1123errout: 1124 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1125 1126 return retval; 1127} 1128 1129static int delete_crypto_blk_dev(char *name) 1130{ 1131 int fd; 1132 char buffer[DM_CRYPT_BUF_SIZE]; 1133 struct dm_ioctl *io; 1134 int retval = -1; 1135 1136 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) { 1137 SLOGE("Cannot open device-mapper\n"); 1138 goto errout; 1139 } 1140 1141 io = (struct dm_ioctl *) buffer; 1142 1143 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1144 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1145 SLOGE("Cannot remove dm-crypt device\n"); 1146 goto errout; 1147 } 1148 1149 /* We made it here with no errors. Woot! */ 1150 retval = 0; 1151 1152errout: 1153 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1154 1155 return retval; 1156 1157} 1158 1159static int pbkdf2(const char *passwd, const unsigned char *salt, 1160 unsigned char *ikey, void *params UNUSED) 1161{ 1162 SLOGI("Using pbkdf2 for cryptfs KDF"); 1163 1164 /* Turn the password into a key and IV that can decrypt the master key */ 1165 unsigned int keysize; 1166 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize); 1167 if (!master_key) return -1; 1168 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN, 1169 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1170 1171 memset(master_key, 0, keysize); 1172 free (master_key); 1173 return 0; 1174} 1175 1176static int scrypt(const char *passwd, const unsigned char *salt, 1177 unsigned char *ikey, void *params) 1178{ 1179 SLOGI("Using scrypt for cryptfs KDF"); 1180 1181 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1182 1183 int N = 1 << ftr->N_factor; 1184 int r = 1 << ftr->r_factor; 1185 int p = 1 << ftr->p_factor; 1186 1187 /* Turn the password into a key and IV that can decrypt the master key */ 1188 unsigned int keysize; 1189 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize); 1190 if (!master_key) return -1; 1191 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey, 1192 KEY_LEN_BYTES + IV_LEN_BYTES); 1193 1194 memset(master_key, 0, keysize); 1195 free (master_key); 1196 return 0; 1197} 1198 1199static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1200 unsigned char *ikey, void *params) 1201{ 1202 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1203 1204 int rc; 1205 unsigned int key_size; 1206 size_t signature_size; 1207 unsigned char* signature; 1208 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1209 1210 int N = 1 << ftr->N_factor; 1211 int r = 1 << ftr->r_factor; 1212 int p = 1 << ftr->p_factor; 1213 1214 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size); 1215 if (!master_key) { 1216 SLOGE("Failed to convert passwd from hex"); 1217 return -1; 1218 } 1219 1220 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN, 1221 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1222 memset(master_key, 0, key_size); 1223 free(master_key); 1224 1225 if (rc) { 1226 SLOGE("scrypt failed"); 1227 return -1; 1228 } 1229 1230 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1231 &signature, &signature_size)) { 1232 SLOGE("Signing failed"); 1233 return -1; 1234 } 1235 1236 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1237 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1238 free(signature); 1239 1240 if (rc) { 1241 SLOGE("scrypt failed"); 1242 return -1; 1243 } 1244 1245 return 0; 1246} 1247 1248static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1249 const unsigned char *decrypted_master_key, 1250 unsigned char *encrypted_master_key, 1251 struct crypt_mnt_ftr *crypt_ftr) 1252{ 1253 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1254 EVP_CIPHER_CTX e_ctx; 1255 int encrypted_len, final_len; 1256 int rc = 0; 1257 1258 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1259 get_device_scrypt_params(crypt_ftr); 1260 1261 switch (crypt_ftr->kdf_type) { 1262 case KDF_SCRYPT_KEYMASTER: 1263 if (keymaster_create_key(crypt_ftr)) { 1264 SLOGE("keymaster_create_key failed"); 1265 return -1; 1266 } 1267 1268 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1269 SLOGE("scrypt failed"); 1270 return -1; 1271 } 1272 break; 1273 1274 case KDF_SCRYPT: 1275 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1276 SLOGE("scrypt failed"); 1277 return -1; 1278 } 1279 break; 1280 1281 default: 1282 SLOGE("Invalid kdf_type"); 1283 return -1; 1284 } 1285 1286 /* Initialize the decryption engine */ 1287 EVP_CIPHER_CTX_init(&e_ctx); 1288 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1289 SLOGE("EVP_EncryptInit failed\n"); 1290 return -1; 1291 } 1292 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1293 1294 /* Encrypt the master key */ 1295 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1296 decrypted_master_key, KEY_LEN_BYTES)) { 1297 SLOGE("EVP_EncryptUpdate failed\n"); 1298 return -1; 1299 } 1300 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1301 SLOGE("EVP_EncryptFinal failed\n"); 1302 return -1; 1303 } 1304 1305 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1306 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1307 return -1; 1308 } 1309 1310 /* Store the scrypt of the intermediate key, so we can validate if it's a 1311 password error or mount error when things go wrong. 1312 Note there's no need to check for errors, since if this is incorrect, we 1313 simply won't wipe userdata, which is the correct default behavior 1314 */ 1315 int N = 1 << crypt_ftr->N_factor; 1316 int r = 1 << crypt_ftr->r_factor; 1317 int p = 1 << crypt_ftr->p_factor; 1318 1319 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1320 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1321 crypt_ftr->scrypted_intermediate_key, 1322 sizeof(crypt_ftr->scrypted_intermediate_key)); 1323 1324 if (rc) { 1325 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1326 } 1327 1328 return 0; 1329} 1330 1331static int decrypt_master_key_aux(const char *passwd, unsigned char *salt, 1332 unsigned char *encrypted_master_key, 1333 unsigned char *decrypted_master_key, 1334 kdf_func kdf, void *kdf_params, 1335 unsigned char** intermediate_key, 1336 size_t* intermediate_key_size) 1337{ 1338 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1339 EVP_CIPHER_CTX d_ctx; 1340 int decrypted_len, final_len; 1341 1342 /* Turn the password into an intermediate key and IV that can decrypt the 1343 master key */ 1344 if (kdf(passwd, salt, ikey, kdf_params)) { 1345 SLOGE("kdf failed"); 1346 return -1; 1347 } 1348 1349 /* Initialize the decryption engine */ 1350 EVP_CIPHER_CTX_init(&d_ctx); 1351 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1352 return -1; 1353 } 1354 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1355 /* Decrypt the master key */ 1356 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1357 encrypted_master_key, KEY_LEN_BYTES)) { 1358 return -1; 1359 } 1360 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1361 return -1; 1362 } 1363 1364 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1365 return -1; 1366 } 1367 1368 /* Copy intermediate key if needed by params */ 1369 if (intermediate_key && intermediate_key_size) { 1370 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1371 if (intermediate_key) { 1372 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1373 *intermediate_key_size = KEY_LEN_BYTES; 1374 } 1375 } 1376 1377 return 0; 1378} 1379 1380static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1381{ 1382 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1383 *kdf = scrypt_keymaster; 1384 *kdf_params = ftr; 1385 } else if (ftr->kdf_type == KDF_SCRYPT) { 1386 *kdf = scrypt; 1387 *kdf_params = ftr; 1388 } else { 1389 *kdf = pbkdf2; 1390 *kdf_params = NULL; 1391 } 1392} 1393 1394static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key, 1395 struct crypt_mnt_ftr *crypt_ftr, 1396 unsigned char** intermediate_key, 1397 size_t* intermediate_key_size) 1398{ 1399 kdf_func kdf; 1400 void *kdf_params; 1401 int ret; 1402 1403 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1404 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1405 decrypted_master_key, kdf, kdf_params, 1406 intermediate_key, intermediate_key_size); 1407 if (ret != 0) { 1408 SLOGW("failure decrypting master key"); 1409 } 1410 1411 return ret; 1412} 1413 1414static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1415 struct crypt_mnt_ftr *crypt_ftr) { 1416 int fd; 1417 unsigned char key_buf[KEY_LEN_BYTES]; 1418 1419 /* Get some random bits for a key */ 1420 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC); 1421 read(fd, key_buf, sizeof(key_buf)); 1422 read(fd, salt, SALT_LEN); 1423 close(fd); 1424 1425 /* Now encrypt it with the password */ 1426 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1427} 1428 1429static int wait_and_unmount(char *mountpoint, bool kill) 1430{ 1431 int i, err, rc; 1432#define WAIT_UNMOUNT_COUNT 20 1433 1434 /* Now umount the tmpfs filesystem */ 1435 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1436 if (umount(mountpoint) == 0) { 1437 break; 1438 } 1439 1440 if (errno == EINVAL) { 1441 /* EINVAL is returned if the directory is not a mountpoint, 1442 * i.e. there is no filesystem mounted there. So just get out. 1443 */ 1444 break; 1445 } 1446 1447 err = errno; 1448 1449 /* If allowed, be increasingly aggressive before the last two retries */ 1450 if (kill) { 1451 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1452 SLOGW("sending SIGHUP to processes with open files\n"); 1453 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM); 1454 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1455 SLOGW("sending SIGKILL to processes with open files\n"); 1456 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL); 1457 } 1458 } 1459 1460 sleep(1); 1461 } 1462 1463 if (i < WAIT_UNMOUNT_COUNT) { 1464 SLOGD("unmounting %s succeeded\n", mountpoint); 1465 rc = 0; 1466 } else { 1467 vold_killProcessesWithOpenFiles(mountpoint, 0); 1468 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1469 rc = -1; 1470 } 1471 1472 return rc; 1473} 1474 1475#define DATA_PREP_TIMEOUT 200 1476static int prep_data_fs(void) 1477{ 1478 int i; 1479 1480 /* Do the prep of the /data filesystem */ 1481 property_set("vold.post_fs_data_done", "0"); 1482 property_set("vold.decrypt", "trigger_post_fs_data"); 1483 SLOGD("Just triggered post_fs_data\n"); 1484 1485 /* Wait a max of 50 seconds, hopefully it takes much less */ 1486 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1487 char p[PROPERTY_VALUE_MAX]; 1488 1489 property_get("vold.post_fs_data_done", p, "0"); 1490 if (*p == '1') { 1491 break; 1492 } else { 1493 usleep(250000); 1494 } 1495 } 1496 if (i == DATA_PREP_TIMEOUT) { 1497 /* Ugh, we failed to prep /data in time. Bail. */ 1498 SLOGE("post_fs_data timed out!\n"); 1499 return -1; 1500 } else { 1501 SLOGD("post_fs_data done\n"); 1502 return 0; 1503 } 1504} 1505 1506static void cryptfs_set_corrupt() 1507{ 1508 // Mark the footer as bad 1509 struct crypt_mnt_ftr crypt_ftr; 1510 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1511 SLOGE("Failed to get crypto footer - panic"); 1512 return; 1513 } 1514 1515 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1516 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1517 SLOGE("Failed to set crypto footer - panic"); 1518 return; 1519 } 1520} 1521 1522static void cryptfs_trigger_restart_min_framework() 1523{ 1524 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1525 SLOGE("Failed to mount tmpfs on data - panic"); 1526 return; 1527 } 1528 1529 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1530 SLOGE("Failed to trigger post fs data - panic"); 1531 return; 1532 } 1533 1534 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1535 SLOGE("Failed to trigger restart min framework - panic"); 1536 return; 1537 } 1538} 1539 1540/* returns < 0 on failure */ 1541static int cryptfs_restart_internal(int restart_main) 1542{ 1543 char crypto_blkdev[MAXPATHLEN]; 1544 int rc = -1; 1545 static int restart_successful = 0; 1546 1547 /* Validate that it's OK to call this routine */ 1548 if (! master_key_saved) { 1549 SLOGE("Encrypted filesystem not validated, aborting"); 1550 return -1; 1551 } 1552 1553 if (restart_successful) { 1554 SLOGE("System already restarted with encrypted disk, aborting"); 1555 return -1; 1556 } 1557 1558 if (restart_main) { 1559 /* Here is where we shut down the framework. The init scripts 1560 * start all services in one of three classes: core, main or late_start. 1561 * On boot, we start core and main. Now, we stop main, but not core, 1562 * as core includes vold and a few other really important things that 1563 * we need to keep running. Once main has stopped, we should be able 1564 * to umount the tmpfs /data, then mount the encrypted /data. 1565 * We then restart the class main, and also the class late_start. 1566 * At the moment, I've only put a few things in late_start that I know 1567 * are not needed to bring up the framework, and that also cause problems 1568 * with unmounting the tmpfs /data, but I hope to add add more services 1569 * to the late_start class as we optimize this to decrease the delay 1570 * till the user is asked for the password to the filesystem. 1571 */ 1572 1573 /* The init files are setup to stop the class main when vold.decrypt is 1574 * set to trigger_reset_main. 1575 */ 1576 property_set("vold.decrypt", "trigger_reset_main"); 1577 SLOGD("Just asked init to shut down class main\n"); 1578 1579 /* Ugh, shutting down the framework is not synchronous, so until it 1580 * can be fixed, this horrible hack will wait a moment for it all to 1581 * shut down before proceeding. Without it, some devices cannot 1582 * restart the graphics services. 1583 */ 1584 sleep(2); 1585 } 1586 1587 /* Now that the framework is shutdown, we should be able to umount() 1588 * the tmpfs filesystem, and mount the real one. 1589 */ 1590 1591 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1592 if (strlen(crypto_blkdev) == 0) { 1593 SLOGE("fs_crypto_blkdev not set\n"); 1594 return -1; 1595 } 1596 1597 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1598 /* If ro.crypto.readonly is set to 1, mount the decrypted 1599 * filesystem readonly. This is used when /data is mounted by 1600 * recovery mode. 1601 */ 1602 char ro_prop[PROPERTY_VALUE_MAX]; 1603 property_get("ro.crypto.readonly", ro_prop, ""); 1604 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1605 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1606 rec->flags |= MS_RDONLY; 1607 } 1608 1609 /* If that succeeded, then mount the decrypted filesystem */ 1610 int retries = RETRY_MOUNT_ATTEMPTS; 1611 int mount_rc; 1612 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1613 crypto_blkdev, 0)) 1614 != 0) { 1615 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1616 /* TODO: invoke something similar to 1617 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1618 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1619 SLOGI("Failed to mount %s because it is busy - waiting", 1620 crypto_blkdev); 1621 if (--retries) { 1622 sleep(RETRY_MOUNT_DELAY_SECONDS); 1623 } else { 1624 /* Let's hope that a reboot clears away whatever is keeping 1625 the mount busy */ 1626 cryptfs_reboot(reboot); 1627 } 1628 } else { 1629 SLOGE("Failed to mount decrypted data"); 1630 cryptfs_set_corrupt(); 1631 cryptfs_trigger_restart_min_framework(); 1632 SLOGI("Started framework to offer wipe"); 1633 return -1; 1634 } 1635 } 1636 1637 property_set("vold.decrypt", "trigger_load_persist_props"); 1638 /* Create necessary paths on /data */ 1639 if (prep_data_fs()) { 1640 return -1; 1641 } 1642 1643 /* startup service classes main and late_start */ 1644 property_set("vold.decrypt", "trigger_restart_framework"); 1645 SLOGD("Just triggered restart_framework\n"); 1646 1647 /* Give it a few moments to get started */ 1648 sleep(1); 1649 } 1650 1651 if (rc == 0) { 1652 restart_successful = 1; 1653 } 1654 1655 return rc; 1656} 1657 1658int cryptfs_restart(void) 1659{ 1660 SLOGI("cryptfs_restart"); 1661 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 1662 struct fstab_rec* rec; 1663 int rc; 1664 1665 if (e4crypt_restart(DATA_MNT_POINT)) { 1666 SLOGE("Can't unmount e4crypt temp volume\n"); 1667 return -1; 1668 } 1669 1670 rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1671 if (!rec) { 1672 SLOGE("Can't get fstab record for %s\n", DATA_MNT_POINT); 1673 return -1; 1674 } 1675 1676 rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, rec->blk_device, 0); 1677 if (rc) { 1678 SLOGE("Can't mount %s\n", DATA_MNT_POINT); 1679 return rc; 1680 } 1681 1682 property_set("vold.decrypt", "trigger_restart_framework"); 1683 return 0; 1684 } 1685 1686 /* Call internal implementation forcing a restart of main service group */ 1687 return cryptfs_restart_internal(1); 1688} 1689 1690static int do_crypto_complete(char *mount_point) 1691{ 1692 struct crypt_mnt_ftr crypt_ftr; 1693 char encrypted_state[PROPERTY_VALUE_MAX]; 1694 char key_loc[PROPERTY_VALUE_MAX]; 1695 1696 property_get("ro.crypto.state", encrypted_state, ""); 1697 if (strcmp(encrypted_state, "encrypted") ) { 1698 SLOGE("not running with encryption, aborting"); 1699 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1700 } 1701 1702 if (e4crypt_crypto_complete(mount_point) == 0) { 1703 return CRYPTO_COMPLETE_ENCRYPTED; 1704 } 1705 1706 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1707 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1708 1709 /* 1710 * Only report this error if key_loc is a file and it exists. 1711 * If the device was never encrypted, and /data is not mountable for 1712 * some reason, returning 1 should prevent the UI from presenting the 1713 * a "enter password" screen, or worse, a "press button to wipe the 1714 * device" screen. 1715 */ 1716 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1717 SLOGE("master key file does not exist, aborting"); 1718 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1719 } else { 1720 SLOGE("Error getting crypt footer and key\n"); 1721 return CRYPTO_COMPLETE_BAD_METADATA; 1722 } 1723 } 1724 1725 // Test for possible error flags 1726 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1727 SLOGE("Encryption process is partway completed\n"); 1728 return CRYPTO_COMPLETE_PARTIAL; 1729 } 1730 1731 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1732 SLOGE("Encryption process was interrupted but cannot continue\n"); 1733 return CRYPTO_COMPLETE_INCONSISTENT; 1734 } 1735 1736 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1737 SLOGE("Encryption is successful but data is corrupt\n"); 1738 return CRYPTO_COMPLETE_CORRUPT; 1739 } 1740 1741 /* We passed the test! We shall diminish, and return to the west */ 1742 return CRYPTO_COMPLETE_ENCRYPTED; 1743} 1744 1745static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1746 char *passwd, char *mount_point, char *label) 1747{ 1748 /* Allocate enough space for a 256 bit key, but we may use less */ 1749 unsigned char decrypted_master_key[32]; 1750 char crypto_blkdev[MAXPATHLEN]; 1751 char real_blkdev[MAXPATHLEN]; 1752 char tmp_mount_point[64]; 1753 unsigned int orig_failed_decrypt_count; 1754 int rc; 1755 int use_keymaster = 0; 1756 int upgrade = 0; 1757 unsigned char* intermediate_key = 0; 1758 size_t intermediate_key_size = 0; 1759 1760 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1761 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1762 1763 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1764 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1765 &intermediate_key, &intermediate_key_size)) { 1766 SLOGE("Failed to decrypt master key\n"); 1767 rc = -1; 1768 goto errout; 1769 } 1770 } 1771 1772 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1773 1774#ifdef CONFIG_HW_DISK_ENCRYPTION 1775 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1776 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) { 1777 SLOGE("Hardware encryption key does not match"); 1778 } 1779 } 1780#endif 1781 1782 // Create crypto block device - all (non fatal) code paths 1783 // need it 1784 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1785 real_blkdev, crypto_blkdev, label)) { 1786 SLOGE("Error creating decrypted block device\n"); 1787 rc = -1; 1788 goto errout; 1789 } 1790 1791 /* Work out if the problem is the password or the data */ 1792 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1793 scrypted_intermediate_key)]; 1794 int N = 1 << crypt_ftr->N_factor; 1795 int r = 1 << crypt_ftr->r_factor; 1796 int p = 1 << crypt_ftr->p_factor; 1797 1798 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1799 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1800 N, r, p, scrypted_intermediate_key, 1801 sizeof(scrypted_intermediate_key)); 1802 1803 // Does the key match the crypto footer? 1804 if (rc == 0 && memcmp(scrypted_intermediate_key, 1805 crypt_ftr->scrypted_intermediate_key, 1806 sizeof(scrypted_intermediate_key)) == 0) { 1807 SLOGI("Password matches"); 1808 rc = 0; 1809 } else { 1810 /* Try mounting the file system anyway, just in case the problem's with 1811 * the footer, not the key. */ 1812 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1813 mkdir(tmp_mount_point, 0755); 1814 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1815 SLOGE("Error temp mounting decrypted block device\n"); 1816 delete_crypto_blk_dev(label); 1817 1818 rc = ++crypt_ftr->failed_decrypt_count; 1819 put_crypt_ftr_and_key(crypt_ftr); 1820 } else { 1821 /* Success! */ 1822 SLOGI("Password did not match but decrypted drive mounted - continue"); 1823 umount(tmp_mount_point); 1824 rc = 0; 1825 } 1826 } 1827 1828 if (rc == 0) { 1829 crypt_ftr->failed_decrypt_count = 0; 1830 if (orig_failed_decrypt_count != 0) { 1831 put_crypt_ftr_and_key(crypt_ftr); 1832 } 1833 1834 /* Save the name of the crypto block device 1835 * so we can mount it when restarting the framework. */ 1836 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1837 1838 /* Also save a the master key so we can reencrypted the key 1839 * the key when we want to change the password on it. */ 1840 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1841 saved_mount_point = strdup(mount_point); 1842 master_key_saved = 1; 1843 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1844 rc = 0; 1845 1846 // Upgrade if we're not using the latest KDF. 1847 use_keymaster = keymaster_check_compatibility(); 1848 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1849 // Don't allow downgrade 1850 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1851 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1852 upgrade = 1; 1853 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1854 crypt_ftr->kdf_type = KDF_SCRYPT; 1855 upgrade = 1; 1856 } 1857 1858 if (upgrade) { 1859 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1860 crypt_ftr->master_key, crypt_ftr); 1861 if (!rc) { 1862 rc = put_crypt_ftr_and_key(crypt_ftr); 1863 } 1864 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1865 1866 // Do not fail even if upgrade failed - machine is bootable 1867 // Note that if this code is ever hit, there is a *serious* problem 1868 // since KDFs should never fail. You *must* fix the kdf before 1869 // proceeding! 1870 if (rc) { 1871 SLOGW("Upgrade failed with error %d," 1872 " but continuing with previous state", 1873 rc); 1874 rc = 0; 1875 } 1876 } 1877 } 1878 1879 errout: 1880 if (intermediate_key) { 1881 memset(intermediate_key, 0, intermediate_key_size); 1882 free(intermediate_key); 1883 } 1884 return rc; 1885} 1886 1887/* 1888 * Called by vold when it's asked to mount an encrypted external 1889 * storage volume. The incoming partition has no crypto header/footer, 1890 * as any metadata is been stored in a separate, small partition. 1891 * 1892 * out_crypto_blkdev must be MAXPATHLEN. 1893 */ 1894int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, 1895 const unsigned char* key, int keysize, char* out_crypto_blkdev) { 1896 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC); 1897 if (fd == -1) { 1898 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno)); 1899 return -1; 1900 } 1901 1902 unsigned long nr_sec = 0; 1903 get_blkdev_size(fd, &nr_sec); 1904 close(fd); 1905 1906 if (nr_sec == 0) { 1907 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno)); 1908 return -1; 1909 } 1910 1911 struct crypt_mnt_ftr ext_crypt_ftr; 1912 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr)); 1913 ext_crypt_ftr.fs_size = nr_sec; 1914 ext_crypt_ftr.keysize = keysize; 1915 strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256"); 1916 1917 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev, 1918 out_crypto_blkdev, label); 1919} 1920 1921/* 1922 * Called by vold when it's asked to unmount an encrypted external 1923 * storage volume. 1924 */ 1925int cryptfs_revert_ext_volume(const char* label) { 1926 return delete_crypto_blk_dev((char*) label); 1927} 1928 1929int cryptfs_crypto_complete(void) 1930{ 1931 return do_crypto_complete("/data"); 1932} 1933 1934int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1935{ 1936 char encrypted_state[PROPERTY_VALUE_MAX]; 1937 property_get("ro.crypto.state", encrypted_state, ""); 1938 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1939 SLOGE("encrypted fs already validated or not running with encryption," 1940 " aborting"); 1941 return -1; 1942 } 1943 1944 if (get_crypt_ftr_and_key(crypt_ftr)) { 1945 SLOGE("Error getting crypt footer and key"); 1946 return -1; 1947 } 1948 1949 return 0; 1950} 1951 1952/* 1953 * TODO - transition patterns to new format in calling code 1954 * and remove this vile hack, and the use of hex in 1955 * the password passing code. 1956 * 1957 * Patterns are passed in zero based (i.e. the top left dot 1958 * is represented by zero, the top middle one etc), but we want 1959 * to store them '1' based. 1960 * This is to allow us to migrate the calling code to use this 1961 * convention. It also solves a nasty problem whereby scrypt ignores 1962 * trailing zeros, so patterns ending at the top left could be 1963 * truncated, and similarly, you could add the top left to any 1964 * pattern and still match. 1965 * adjust_passwd is a hack function that returns the alternate representation 1966 * if the password appears to be a pattern (hex numbers all less than 09) 1967 * If it succeeds we need to try both, and in particular try the alternate 1968 * first. If the original matches, then we need to update the footer 1969 * with the alternate. 1970 * All code that accepts passwords must adjust them first. Since 1971 * cryptfs_check_passwd is always the first function called after a migration 1972 * (and indeed on any boot) we only need to do the double try in this 1973 * function. 1974 */ 1975char* adjust_passwd(const char* passwd) 1976{ 1977 size_t index, length; 1978 1979 if (!passwd) { 1980 return 0; 1981 } 1982 1983 // Check even length. Hex encoded passwords are always 1984 // an even length, since each character encodes to two characters. 1985 length = strlen(passwd); 1986 if (length % 2) { 1987 SLOGW("Password not correctly hex encoded."); 1988 return 0; 1989 } 1990 1991 // Check password is old-style pattern - a collection of hex 1992 // encoded bytes less than 9 (00 through 08) 1993 for (index = 0; index < length; index +=2) { 1994 if (passwd[index] != '0' 1995 || passwd[index + 1] < '0' || passwd[index + 1] > '8') { 1996 return 0; 1997 } 1998 } 1999 2000 // Allocate room for adjusted passwd and null terminate 2001 char* adjusted = malloc(length + 1); 2002 adjusted[length] = 0; 2003 2004 // Add 0x31 ('1') to each character 2005 for (index = 0; index < length; index += 2) { 2006 // output is 31 through 39 so set first byte to three, second to src + 1 2007 adjusted[index] = '3'; 2008 adjusted[index + 1] = passwd[index + 1] + 1; 2009 } 2010 2011 return adjusted; 2012} 2013 2014int cryptfs_check_passwd(char *passwd) 2015{ 2016 SLOGI("cryptfs_check_passwd"); 2017 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 2018 return e4crypt_check_passwd(DATA_MNT_POINT, passwd); 2019 } 2020 2021 struct crypt_mnt_ftr crypt_ftr; 2022 int rc; 2023 2024 rc = check_unmounted_and_get_ftr(&crypt_ftr); 2025 if (rc) 2026 return rc; 2027 2028 char* adjusted_passwd = adjust_passwd(passwd); 2029 if (adjusted_passwd) { 2030 int failed_decrypt_count = crypt_ftr.failed_decrypt_count; 2031 rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd, 2032 DATA_MNT_POINT, "userdata"); 2033 2034 // Maybe the original one still works? 2035 if (rc) { 2036 // Don't double count this failure 2037 crypt_ftr.failed_decrypt_count = failed_decrypt_count; 2038 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2039 DATA_MNT_POINT, "userdata"); 2040 if (!rc) { 2041 // cryptfs_changepw also adjusts so pass original 2042 // Note that adjust_passwd only recognises patterns 2043 // so we can safely use CRYPT_TYPE_PATTERN 2044 SLOGI("Updating pattern to new format"); 2045 cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd); 2046 } 2047 } 2048 free(adjusted_passwd); 2049 } else { 2050 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2051 DATA_MNT_POINT, "userdata"); 2052 } 2053 2054 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2055 cryptfs_clear_password(); 2056 password = strdup(passwd); 2057 struct timespec now; 2058 clock_gettime(CLOCK_BOOTTIME, &now); 2059 password_expiry_time = now.tv_sec + password_max_age_seconds; 2060 } 2061 2062 return rc; 2063} 2064 2065int cryptfs_verify_passwd(char *passwd) 2066{ 2067 struct crypt_mnt_ftr crypt_ftr; 2068 /* Allocate enough space for a 256 bit key, but we may use less */ 2069 unsigned char decrypted_master_key[32]; 2070 char encrypted_state[PROPERTY_VALUE_MAX]; 2071 int rc; 2072 2073 property_get("ro.crypto.state", encrypted_state, ""); 2074 if (strcmp(encrypted_state, "encrypted") ) { 2075 SLOGE("device not encrypted, aborting"); 2076 return -2; 2077 } 2078 2079 if (!master_key_saved) { 2080 SLOGE("encrypted fs not yet mounted, aborting"); 2081 return -1; 2082 } 2083 2084 if (!saved_mount_point) { 2085 SLOGE("encrypted fs failed to save mount point, aborting"); 2086 return -1; 2087 } 2088 2089 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2090 SLOGE("Error getting crypt footer and key\n"); 2091 return -1; 2092 } 2093 2094 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 2095 /* If the device has no password, then just say the password is valid */ 2096 rc = 0; 2097 } else { 2098 char* adjusted_passwd = adjust_passwd(passwd); 2099 if (adjusted_passwd) { 2100 passwd = adjusted_passwd; 2101 } 2102 2103 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2104 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 2105 /* They match, the password is correct */ 2106 rc = 0; 2107 } else { 2108 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 2109 sleep(1); 2110 rc = 1; 2111 } 2112 2113 free(adjusted_passwd); 2114 } 2115 2116 return rc; 2117} 2118 2119/* Initialize a crypt_mnt_ftr structure. The keysize is 2120 * defaulted to 16 bytes, and the filesystem size to 0. 2121 * Presumably, at a minimum, the caller will update the 2122 * filesystem size and crypto_type_name after calling this function. 2123 */ 2124static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 2125{ 2126 off64_t off; 2127 2128 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 2129 ftr->magic = CRYPT_MNT_MAGIC; 2130 ftr->major_version = CURRENT_MAJOR_VERSION; 2131 ftr->minor_version = CURRENT_MINOR_VERSION; 2132 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 2133 ftr->keysize = KEY_LEN_BYTES; 2134 2135 switch (keymaster_check_compatibility()) { 2136 case 1: 2137 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2138 break; 2139 2140 case 0: 2141 ftr->kdf_type = KDF_SCRYPT; 2142 break; 2143 2144 default: 2145 SLOGE("keymaster_check_compatibility failed"); 2146 return -1; 2147 } 2148 2149 get_device_scrypt_params(ftr); 2150 2151 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2152 if (get_crypt_ftr_info(NULL, &off) == 0) { 2153 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2154 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2155 ftr->persist_data_size; 2156 } 2157 2158 return 0; 2159} 2160 2161static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2162{ 2163 const char *args[10]; 2164 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2165 int num_args; 2166 int status; 2167 int tmp; 2168 int rc = -1; 2169 2170 if (type == EXT4_FS) { 2171 args[0] = "/system/bin/make_ext4fs"; 2172 args[1] = "-a"; 2173 args[2] = "/data"; 2174 args[3] = "-l"; 2175 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2176 args[4] = size_str; 2177 args[5] = crypto_blkdev; 2178 num_args = 6; 2179 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2180 args[0], args[1], args[2], args[3], args[4], args[5]); 2181 } else if (type == F2FS_FS) { 2182 args[0] = "/system/bin/mkfs.f2fs"; 2183 args[1] = "-t"; 2184 args[2] = "-d1"; 2185 args[3] = crypto_blkdev; 2186 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2187 args[4] = size_str; 2188 num_args = 5; 2189 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2190 args[0], args[1], args[2], args[3], args[4]); 2191 } else { 2192 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2193 return -1; 2194 } 2195 2196 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2197 2198 if (tmp != 0) { 2199 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2200 } else { 2201 if (WIFEXITED(status)) { 2202 if (WEXITSTATUS(status)) { 2203 SLOGE("Error creating filesystem on %s, exit status %d ", 2204 crypto_blkdev, WEXITSTATUS(status)); 2205 } else { 2206 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2207 rc = 0; 2208 } 2209 } else { 2210 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2211 } 2212 } 2213 2214 return rc; 2215} 2216 2217#define CRYPT_INPLACE_BUFSIZE 4096 2218#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2219#define CRYPT_SECTOR_SIZE 512 2220 2221/* aligned 32K writes tends to make flash happy. 2222 * SD card association recommends it. 2223 */ 2224#ifndef CONFIG_HW_DISK_ENCRYPTION 2225#define BLOCKS_AT_A_TIME 8 2226#else 2227#define BLOCKS_AT_A_TIME 1024 2228#endif 2229 2230struct encryptGroupsData 2231{ 2232 int realfd; 2233 int cryptofd; 2234 off64_t numblocks; 2235 off64_t one_pct, cur_pct, new_pct; 2236 off64_t blocks_already_done, tot_numblocks; 2237 off64_t used_blocks_already_done, tot_used_blocks; 2238 char* real_blkdev, * crypto_blkdev; 2239 int count; 2240 off64_t offset; 2241 char* buffer; 2242 off64_t last_written_sector; 2243 int completed; 2244 time_t time_started; 2245 int remaining_time; 2246}; 2247 2248static void update_progress(struct encryptGroupsData* data, int is_used) 2249{ 2250 data->blocks_already_done++; 2251 2252 if (is_used) { 2253 data->used_blocks_already_done++; 2254 } 2255 if (data->tot_used_blocks) { 2256 data->new_pct = data->used_blocks_already_done / data->one_pct; 2257 } else { 2258 data->new_pct = data->blocks_already_done / data->one_pct; 2259 } 2260 2261 if (data->new_pct > data->cur_pct) { 2262 char buf[8]; 2263 data->cur_pct = data->new_pct; 2264 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2265 property_set("vold.encrypt_progress", buf); 2266 } 2267 2268 if (data->cur_pct >= 5) { 2269 struct timespec time_now; 2270 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) { 2271 SLOGW("Error getting time"); 2272 } else { 2273 double elapsed_time = difftime(time_now.tv_sec, data->time_started); 2274 off64_t remaining_blocks = data->tot_used_blocks 2275 - data->used_blocks_already_done; 2276 int remaining_time = (int)(elapsed_time * remaining_blocks 2277 / data->used_blocks_already_done); 2278 2279 // Change time only if not yet set, lower, or a lot higher for 2280 // best user experience 2281 if (data->remaining_time == -1 2282 || remaining_time < data->remaining_time 2283 || remaining_time > data->remaining_time + 60) { 2284 char buf[8]; 2285 snprintf(buf, sizeof(buf), "%d", remaining_time); 2286 property_set("vold.encrypt_time_remaining", buf); 2287 data->remaining_time = remaining_time; 2288 } 2289 } 2290 } 2291} 2292 2293static void log_progress(struct encryptGroupsData const* data, bool completed) 2294{ 2295 // Precondition - if completed data = 0 else data != 0 2296 2297 // Track progress so we can skip logging blocks 2298 static off64_t offset = -1; 2299 2300 // Need to close existing 'Encrypting from' log? 2301 if (completed || (offset != -1 && data->offset != offset)) { 2302 SLOGI("Encrypted to sector %" PRId64, 2303 offset / info.block_size * CRYPT_SECTOR_SIZE); 2304 offset = -1; 2305 } 2306 2307 // Need to start new 'Encrypting from' log? 2308 if (!completed && offset != data->offset) { 2309 SLOGI("Encrypting from sector %" PRId64, 2310 data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2311 } 2312 2313 // Update offset 2314 if (!completed) { 2315 offset = data->offset + (off64_t)data->count * info.block_size; 2316 } 2317} 2318 2319static int flush_outstanding_data(struct encryptGroupsData* data) 2320{ 2321 if (data->count == 0) { 2322 return 0; 2323 } 2324 2325 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2326 2327 if (pread64(data->realfd, data->buffer, 2328 info.block_size * data->count, data->offset) 2329 <= 0) { 2330 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2331 data->real_blkdev); 2332 return -1; 2333 } 2334 2335 if (pwrite64(data->cryptofd, data->buffer, 2336 info.block_size * data->count, data->offset) 2337 <= 0) { 2338 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2339 data->crypto_blkdev); 2340 return -1; 2341 } else { 2342 log_progress(data, false); 2343 } 2344 2345 data->count = 0; 2346 data->last_written_sector = (data->offset + data->count) 2347 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2348 return 0; 2349} 2350 2351static int encrypt_groups(struct encryptGroupsData* data) 2352{ 2353 unsigned int i; 2354 u8 *block_bitmap = 0; 2355 unsigned int block; 2356 off64_t ret; 2357 int rc = -1; 2358 2359 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2360 if (!data->buffer) { 2361 SLOGE("Failed to allocate crypto buffer"); 2362 goto errout; 2363 } 2364 2365 block_bitmap = malloc(info.block_size); 2366 if (!block_bitmap) { 2367 SLOGE("failed to allocate block bitmap"); 2368 goto errout; 2369 } 2370 2371 for (i = 0; i < aux_info.groups; ++i) { 2372 SLOGI("Encrypting group %d", i); 2373 2374 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2375 u32 block_count = min(info.blocks_per_group, 2376 aux_info.len_blocks - first_block); 2377 2378 off64_t offset = (u64)info.block_size 2379 * aux_info.bg_desc[i].bg_block_bitmap; 2380 2381 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2382 if (ret != (int)info.block_size) { 2383 SLOGE("failed to read all of block group bitmap %d", i); 2384 goto errout; 2385 } 2386 2387 offset = (u64)info.block_size * first_block; 2388 2389 data->count = 0; 2390 2391 for (block = 0; block < block_count; block++) { 2392 int used = bitmap_get_bit(block_bitmap, block); 2393 update_progress(data, used); 2394 if (used) { 2395 if (data->count == 0) { 2396 data->offset = offset; 2397 } 2398 data->count++; 2399 } else { 2400 if (flush_outstanding_data(data)) { 2401 goto errout; 2402 } 2403 } 2404 2405 offset += info.block_size; 2406 2407 /* Write data if we are aligned or buffer size reached */ 2408 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2409 || data->count == BLOCKS_AT_A_TIME) { 2410 if (flush_outstanding_data(data)) { 2411 goto errout; 2412 } 2413 } 2414 2415 if (!is_battery_ok_to_continue()) { 2416 SLOGE("Stopping encryption due to low battery"); 2417 rc = 0; 2418 goto errout; 2419 } 2420 2421 } 2422 if (flush_outstanding_data(data)) { 2423 goto errout; 2424 } 2425 } 2426 2427 data->completed = 1; 2428 rc = 0; 2429 2430errout: 2431 log_progress(0, true); 2432 free(data->buffer); 2433 free(block_bitmap); 2434 return rc; 2435} 2436 2437static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2438 char *real_blkdev, 2439 off64_t size, 2440 off64_t *size_already_done, 2441 off64_t tot_size, 2442 off64_t previously_encrypted_upto) 2443{ 2444 u32 i; 2445 struct encryptGroupsData data; 2446 int rc; // Can't initialize without causing warning -Wclobbered 2447 2448 if (previously_encrypted_upto > *size_already_done) { 2449 SLOGD("Not fast encrypting since resuming part way through"); 2450 return -1; 2451 } 2452 2453 memset(&data, 0, sizeof(data)); 2454 data.real_blkdev = real_blkdev; 2455 data.crypto_blkdev = crypto_blkdev; 2456 2457 if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 2458 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n", 2459 real_blkdev, errno, strerror(errno)); 2460 rc = -1; 2461 goto errout; 2462 } 2463 2464 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2465 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n", 2466 crypto_blkdev, errno, strerror(errno)); 2467 rc = ENABLE_INPLACE_ERR_DEV; 2468 goto errout; 2469 } 2470 2471 if (setjmp(setjmp_env)) { 2472 SLOGE("Reading ext4 extent caused an exception\n"); 2473 rc = -1; 2474 goto errout; 2475 } 2476 2477 if (read_ext(data.realfd, 0) != 0) { 2478 SLOGE("Failed to read ext4 extent\n"); 2479 rc = -1; 2480 goto errout; 2481 } 2482 2483 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2484 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2485 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2486 2487 SLOGI("Encrypting ext4 filesystem in place..."); 2488 2489 data.tot_used_blocks = data.numblocks; 2490 for (i = 0; i < aux_info.groups; ++i) { 2491 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2492 } 2493 2494 data.one_pct = data.tot_used_blocks / 100; 2495 data.cur_pct = 0; 2496 2497 struct timespec time_started = {0}; 2498 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) { 2499 SLOGW("Error getting time at start"); 2500 // Note - continue anyway - we'll run with 0 2501 } 2502 data.time_started = time_started.tv_sec; 2503 data.remaining_time = -1; 2504 2505 rc = encrypt_groups(&data); 2506 if (rc) { 2507 SLOGE("Error encrypting groups"); 2508 goto errout; 2509 } 2510 2511 *size_already_done += data.completed ? size : data.last_written_sector; 2512 rc = 0; 2513 2514errout: 2515 close(data.realfd); 2516 close(data.cryptofd); 2517 2518 return rc; 2519} 2520 2521static void log_progress_f2fs(u64 block, bool completed) 2522{ 2523 // Precondition - if completed data = 0 else data != 0 2524 2525 // Track progress so we can skip logging blocks 2526 static u64 last_block = (u64)-1; 2527 2528 // Need to close existing 'Encrypting from' log? 2529 if (completed || (last_block != (u64)-1 && block != last_block + 1)) { 2530 SLOGI("Encrypted to block %" PRId64, last_block); 2531 last_block = -1; 2532 } 2533 2534 // Need to start new 'Encrypting from' log? 2535 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) { 2536 SLOGI("Encrypting from block %" PRId64, block); 2537 } 2538 2539 // Update offset 2540 if (!completed) { 2541 last_block = block; 2542 } 2543} 2544 2545static int encrypt_one_block_f2fs(u64 pos, void *data) 2546{ 2547 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2548 2549 priv_dat->blocks_already_done = pos - 1; 2550 update_progress(priv_dat, 1); 2551 2552 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2553 2554 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2555 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2556 return -1; 2557 } 2558 2559 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2560 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2561 return -1; 2562 } else { 2563 log_progress_f2fs(pos, false); 2564 } 2565 2566 return 0; 2567} 2568 2569static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2570 char *real_blkdev, 2571 off64_t size, 2572 off64_t *size_already_done, 2573 off64_t tot_size, 2574 off64_t previously_encrypted_upto) 2575{ 2576 struct encryptGroupsData data; 2577 struct f2fs_info *f2fs_info = NULL; 2578 int rc = ENABLE_INPLACE_ERR_OTHER; 2579 if (previously_encrypted_upto > *size_already_done) { 2580 SLOGD("Not fast encrypting since resuming part way through"); 2581 return ENABLE_INPLACE_ERR_OTHER; 2582 } 2583 memset(&data, 0, sizeof(data)); 2584 data.real_blkdev = real_blkdev; 2585 data.crypto_blkdev = crypto_blkdev; 2586 data.realfd = -1; 2587 data.cryptofd = -1; 2588 if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 2589 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n", 2590 real_blkdev); 2591 goto errout; 2592 } 2593 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2594 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n", 2595 crypto_blkdev, errno, strerror(errno)); 2596 rc = ENABLE_INPLACE_ERR_DEV; 2597 goto errout; 2598 } 2599 2600 f2fs_info = generate_f2fs_info(data.realfd); 2601 if (!f2fs_info) 2602 goto errout; 2603 2604 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2605 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2606 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2607 2608 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2609 2610 data.one_pct = data.tot_used_blocks / 100; 2611 data.cur_pct = 0; 2612 data.time_started = time(NULL); 2613 data.remaining_time = -1; 2614 2615 data.buffer = malloc(f2fs_info->block_size); 2616 if (!data.buffer) { 2617 SLOGE("Failed to allocate crypto buffer"); 2618 goto errout; 2619 } 2620 2621 data.count = 0; 2622 2623 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2624 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2625 2626 if (rc) { 2627 SLOGE("Error in running over f2fs blocks"); 2628 rc = ENABLE_INPLACE_ERR_OTHER; 2629 goto errout; 2630 } 2631 2632 *size_already_done += size; 2633 rc = 0; 2634 2635errout: 2636 if (rc) 2637 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2638 2639 log_progress_f2fs(0, true); 2640 free(f2fs_info); 2641 free(data.buffer); 2642 close(data.realfd); 2643 close(data.cryptofd); 2644 2645 return rc; 2646} 2647 2648static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2649 off64_t size, off64_t *size_already_done, 2650 off64_t tot_size, 2651 off64_t previously_encrypted_upto) 2652{ 2653 int realfd, cryptofd; 2654 char *buf[CRYPT_INPLACE_BUFSIZE]; 2655 int rc = ENABLE_INPLACE_ERR_OTHER; 2656 off64_t numblocks, i, remainder; 2657 off64_t one_pct, cur_pct, new_pct; 2658 off64_t blocks_already_done, tot_numblocks; 2659 2660 if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) { 2661 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2662 return ENABLE_INPLACE_ERR_OTHER; 2663 } 2664 2665 if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2666 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n", 2667 crypto_blkdev, errno, strerror(errno)); 2668 close(realfd); 2669 return ENABLE_INPLACE_ERR_DEV; 2670 } 2671 2672 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2673 * The size passed in is the number of 512 byte sectors in the filesystem. 2674 * So compute the number of whole 4K blocks we should read/write, 2675 * and the remainder. 2676 */ 2677 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2678 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2679 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2680 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2681 2682 SLOGE("Encrypting filesystem in place..."); 2683 2684 i = previously_encrypted_upto + 1 - *size_already_done; 2685 2686 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2687 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2688 goto errout; 2689 } 2690 2691 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2692 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2693 goto errout; 2694 } 2695 2696 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2697 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2698 SLOGE("Error reading initial sectors from real_blkdev %s for " 2699 "inplace encrypt\n", crypto_blkdev); 2700 goto errout; 2701 } 2702 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2703 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2704 "inplace encrypt\n", crypto_blkdev); 2705 goto errout; 2706 } else { 2707 SLOGI("Encrypted 1 block at %" PRId64, i); 2708 } 2709 } 2710 2711 one_pct = tot_numblocks / 100; 2712 cur_pct = 0; 2713 /* process the majority of the filesystem in blocks */ 2714 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2715 new_pct = (i + blocks_already_done) / one_pct; 2716 if (new_pct > cur_pct) { 2717 char buf[8]; 2718 2719 cur_pct = new_pct; 2720 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2721 property_set("vold.encrypt_progress", buf); 2722 } 2723 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2724 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2725 goto errout; 2726 } 2727 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2728 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2729 goto errout; 2730 } else { 2731 SLOGD("Encrypted %d block at %" PRId64, 2732 CRYPT_SECTORS_PER_BUFSIZE, 2733 i * CRYPT_SECTORS_PER_BUFSIZE); 2734 } 2735 2736 if (!is_battery_ok_to_continue()) { 2737 SLOGE("Stopping encryption due to low battery"); 2738 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2739 rc = 0; 2740 goto errout; 2741 } 2742 } 2743 2744 /* Do any remaining sectors */ 2745 for (i=0; i<remainder; i++) { 2746 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2747 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2748 goto errout; 2749 } 2750 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2751 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2752 goto errout; 2753 } else { 2754 SLOGI("Encrypted 1 block at next location"); 2755 } 2756 } 2757 2758 *size_already_done += size; 2759 rc = 0; 2760 2761errout: 2762 close(realfd); 2763 close(cryptofd); 2764 2765 return rc; 2766} 2767 2768/* returns on of the ENABLE_INPLACE_* return codes */ 2769static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2770 off64_t size, off64_t *size_already_done, 2771 off64_t tot_size, 2772 off64_t previously_encrypted_upto) 2773{ 2774 int rc_ext4, rc_f2fs, rc_full; 2775 if (previously_encrypted_upto) { 2776 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2777 } 2778 2779 if (*size_already_done + size < previously_encrypted_upto) { 2780 *size_already_done += size; 2781 return 0; 2782 } 2783 2784 /* TODO: identify filesystem type. 2785 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2786 * then we will drop down to cryptfs_enable_inplace_f2fs. 2787 * */ 2788 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2789 size, size_already_done, 2790 tot_size, previously_encrypted_upto)) == 0) { 2791 return 0; 2792 } 2793 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4); 2794 2795 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2796 size, size_already_done, 2797 tot_size, previously_encrypted_upto)) == 0) { 2798 return 0; 2799 } 2800 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs); 2801 2802 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2803 size, size_already_done, tot_size, 2804 previously_encrypted_upto); 2805 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full); 2806 2807 /* Hack for b/17898962, the following is the symptom... */ 2808 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV 2809 && rc_f2fs == ENABLE_INPLACE_ERR_DEV 2810 && rc_full == ENABLE_INPLACE_ERR_DEV) { 2811 return ENABLE_INPLACE_ERR_DEV; 2812 } 2813 return rc_full; 2814} 2815 2816#define CRYPTO_ENABLE_WIPE 1 2817#define CRYPTO_ENABLE_INPLACE 2 2818 2819#define FRAMEWORK_BOOT_WAIT 60 2820 2821static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2822{ 2823 int fd = open(filename, O_RDONLY|O_CLOEXEC); 2824 if (fd == -1) { 2825 SLOGE("Error opening file %s", filename); 2826 return -1; 2827 } 2828 2829 char block[CRYPT_INPLACE_BUFSIZE]; 2830 memset(block, 0, sizeof(block)); 2831 if (unix_read(fd, block, sizeof(block)) < 0) { 2832 SLOGE("Error reading file %s", filename); 2833 close(fd); 2834 return -1; 2835 } 2836 2837 close(fd); 2838 2839 SHA256_CTX c; 2840 SHA256_Init(&c); 2841 SHA256_Update(&c, block, sizeof(block)); 2842 SHA256_Final(buf, &c); 2843 2844 return 0; 2845} 2846 2847static int get_fs_type(struct fstab_rec *rec) 2848{ 2849 if (!strcmp(rec->fs_type, "ext4")) { 2850 return EXT4_FS; 2851 } else if (!strcmp(rec->fs_type, "f2fs")) { 2852 return F2FS_FS; 2853 } else { 2854 return -1; 2855 } 2856} 2857 2858static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2859 char *crypto_blkdev, char *real_blkdev, 2860 int previously_encrypted_upto) 2861{ 2862 off64_t cur_encryption_done=0, tot_encryption_size=0; 2863 int rc = -1; 2864 2865 if (!is_battery_ok_to_start()) { 2866 SLOGW("Not starting encryption due to low battery"); 2867 return 0; 2868 } 2869 2870 /* The size of the userdata partition, and add in the vold volumes below */ 2871 tot_encryption_size = crypt_ftr->fs_size; 2872 2873 if (how == CRYPTO_ENABLE_WIPE) { 2874 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2875 int fs_type = get_fs_type(rec); 2876 if (fs_type < 0) { 2877 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2878 return -1; 2879 } 2880 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2881 } else if (how == CRYPTO_ENABLE_INPLACE) { 2882 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2883 crypt_ftr->fs_size, &cur_encryption_done, 2884 tot_encryption_size, 2885 previously_encrypted_upto); 2886 2887 if (rc == ENABLE_INPLACE_ERR_DEV) { 2888 /* Hack for b/17898962 */ 2889 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2890 cryptfs_reboot(reboot); 2891 } 2892 2893 if (!rc) { 2894 crypt_ftr->encrypted_upto = cur_encryption_done; 2895 } 2896 2897 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2898 /* The inplace routine never actually sets the progress to 100% due 2899 * to the round down nature of integer division, so set it here */ 2900 property_set("vold.encrypt_progress", "100"); 2901 } 2902 } else { 2903 /* Shouldn't happen */ 2904 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2905 rc = -1; 2906 } 2907 2908 return rc; 2909} 2910 2911int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2912 int allow_reboot) 2913{ 2914 int how = 0; 2915 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2916 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2917 int rc=-1, i; 2918 struct crypt_mnt_ftr crypt_ftr; 2919 struct crypt_persist_data *pdata; 2920 char encrypted_state[PROPERTY_VALUE_MAX]; 2921 char lockid[32] = { 0 }; 2922 char key_loc[PROPERTY_VALUE_MAX]; 2923 int num_vols; 2924 off64_t previously_encrypted_upto = 0; 2925 2926 if (!strcmp(howarg, "wipe")) { 2927 how = CRYPTO_ENABLE_WIPE; 2928 } else if (! strcmp(howarg, "inplace")) { 2929 how = CRYPTO_ENABLE_INPLACE; 2930 } else { 2931 /* Shouldn't happen, as CommandListener vets the args */ 2932 goto error_unencrypted; 2933 } 2934 2935 /* See if an encryption was underway and interrupted */ 2936 if (how == CRYPTO_ENABLE_INPLACE 2937 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2938 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2939 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2940 crypt_ftr.encrypted_upto = 0; 2941 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2942 2943 /* At this point, we are in an inconsistent state. Until we successfully 2944 complete encryption, a reboot will leave us broken. So mark the 2945 encryption failed in case that happens. 2946 On successfully completing encryption, remove this flag */ 2947 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2948 2949 put_crypt_ftr_and_key(&crypt_ftr); 2950 } 2951 2952 property_get("ro.crypto.state", encrypted_state, ""); 2953 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2954 SLOGE("Device is already running encrypted, aborting"); 2955 goto error_unencrypted; 2956 } 2957 2958 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2959 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2960 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2961 2962 /* Get the size of the real block device */ 2963 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC); 2964 if (fd == -1) { 2965 SLOGE("Cannot open block device %s\n", real_blkdev); 2966 goto error_unencrypted; 2967 } 2968 unsigned long nr_sec; 2969 get_blkdev_size(fd, &nr_sec); 2970 if (nr_sec == 0) { 2971 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2972 goto error_unencrypted; 2973 } 2974 close(fd); 2975 2976 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2977 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2978 unsigned int fs_size_sec, max_fs_size_sec; 2979 fs_size_sec = get_fs_size(real_blkdev); 2980 if (fs_size_sec == 0) 2981 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2982 2983 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2984 2985 if (fs_size_sec > max_fs_size_sec) { 2986 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2987 goto error_unencrypted; 2988 } 2989 } 2990 2991 /* Get a wakelock as this may take a while, and we don't want the 2992 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2993 * wants to keep the screen on, it can grab a full wakelock. 2994 */ 2995 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2996 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2997 2998 /* The init files are setup to stop the class main and late start when 2999 * vold sets trigger_shutdown_framework. 3000 */ 3001 property_set("vold.decrypt", "trigger_shutdown_framework"); 3002 SLOGD("Just asked init to shut down class main\n"); 3003 3004 /* Ask vold to unmount all devices that it manages */ 3005 if (vold_unmountAll()) { 3006 SLOGE("Failed to unmount all vold managed devices"); 3007 } 3008 3009 /* Now unmount the /data partition. */ 3010 if (wait_and_unmount(DATA_MNT_POINT, false)) { 3011 if (allow_reboot) { 3012 goto error_shutting_down; 3013 } else { 3014 goto error_unencrypted; 3015 } 3016 } 3017 3018 /* Do extra work for a better UX when doing the long inplace encryption */ 3019 if (how == CRYPTO_ENABLE_INPLACE) { 3020 /* Now that /data is unmounted, we need to mount a tmpfs 3021 * /data, set a property saying we're doing inplace encryption, 3022 * and restart the framework. 3023 */ 3024 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 3025 goto error_shutting_down; 3026 } 3027 /* Tells the framework that inplace encryption is starting */ 3028 property_set("vold.encrypt_progress", "0"); 3029 3030 /* restart the framework. */ 3031 /* Create necessary paths on /data */ 3032 if (prep_data_fs()) { 3033 goto error_shutting_down; 3034 } 3035 3036 /* Ugh, shutting down the framework is not synchronous, so until it 3037 * can be fixed, this horrible hack will wait a moment for it all to 3038 * shut down before proceeding. Without it, some devices cannot 3039 * restart the graphics services. 3040 */ 3041 sleep(2); 3042 } 3043 3044 /* Start the actual work of making an encrypted filesystem */ 3045 /* Initialize a crypt_mnt_ftr for the partition */ 3046 if (previously_encrypted_upto == 0) { 3047 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 3048 goto error_shutting_down; 3049 } 3050 3051 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 3052 crypt_ftr.fs_size = nr_sec 3053 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3054 } else { 3055 crypt_ftr.fs_size = nr_sec; 3056 } 3057 /* At this point, we are in an inconsistent state. Until we successfully 3058 complete encryption, a reboot will leave us broken. So mark the 3059 encryption failed in case that happens. 3060 On successfully completing encryption, remove this flag */ 3061 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 3062 crypt_ftr.crypt_type = crypt_type; 3063#ifndef CONFIG_HW_DISK_ENCRYPTION 3064 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN); 3065#else 3066 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN); 3067 3068 rc = clear_hw_device_encryption_key(); 3069 if (!rc) { 3070 SLOGE("Error clearing device encryption hardware key. rc = %d", rc); 3071 } 3072 3073 rc = set_hw_device_encryption_key(passwd, 3074 (char*) crypt_ftr.crypto_type_name); 3075 if (!rc) { 3076 SLOGE("Error initializing device encryption hardware key. rc = %d", rc); 3077 goto error_shutting_down; 3078 } 3079#endif 3080 3081 /* Make an encrypted master key */ 3082 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 3083 SLOGE("Cannot create encrypted master key\n"); 3084 goto error_shutting_down; 3085 } 3086 3087 /* Write the key to the end of the partition */ 3088 put_crypt_ftr_and_key(&crypt_ftr); 3089 3090 /* If any persistent data has been remembered, save it. 3091 * If none, create a valid empty table and save that. 3092 */ 3093 if (!persist_data) { 3094 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 3095 if (pdata) { 3096 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 3097 persist_data = pdata; 3098 } 3099 } 3100 if (persist_data) { 3101 save_persistent_data(); 3102 } 3103 } 3104 3105 if (how == CRYPTO_ENABLE_INPLACE) { 3106 /* startup service classes main and late_start */ 3107 property_set("vold.decrypt", "trigger_restart_min_framework"); 3108 SLOGD("Just triggered restart_min_framework\n"); 3109 3110 /* OK, the framework is restarted and will soon be showing a 3111 * progress bar. Time to setup an encrypted mapping, and 3112 * either write a new filesystem, or encrypt in place updating 3113 * the progress bar as we work. 3114 */ 3115 } 3116 3117 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 3118 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 3119 "userdata"); 3120 3121 /* If we are continuing, check checksums match */ 3122 rc = 0; 3123 if (previously_encrypted_upto) { 3124 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 3125 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 3126 3127 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 3128 sizeof(hash_first_block)) != 0) { 3129 SLOGE("Checksums do not match - trigger wipe"); 3130 rc = -1; 3131 } 3132 } 3133 3134 if (!rc) { 3135 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 3136 crypto_blkdev, real_blkdev, 3137 previously_encrypted_upto); 3138 } 3139 3140 /* Calculate checksum if we are not finished */ 3141 if (!rc && how == CRYPTO_ENABLE_INPLACE 3142 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3143 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 3144 crypt_ftr.hash_first_block); 3145 if (rc) { 3146 SLOGE("Error calculating checksum for continuing encryption"); 3147 rc = -1; 3148 } 3149 } 3150 3151 /* Undo the dm-crypt mapping whether we succeed or not */ 3152 delete_crypto_blk_dev("userdata"); 3153 3154 if (! rc) { 3155 /* Success */ 3156 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 3157 3158 if (how == CRYPTO_ENABLE_INPLACE 3159 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3160 SLOGD("Encrypted up to sector %lld - will continue after reboot", 3161 crypt_ftr.encrypted_upto); 3162 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 3163 } 3164 3165 put_crypt_ftr_and_key(&crypt_ftr); 3166 3167 if (how == CRYPTO_ENABLE_WIPE 3168 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 3169 char value[PROPERTY_VALUE_MAX]; 3170 property_get("ro.crypto.state", value, ""); 3171 if (!strcmp(value, "")) { 3172 /* default encryption - continue first boot sequence */ 3173 property_set("ro.crypto.state", "encrypted"); 3174 release_wake_lock(lockid); 3175 cryptfs_check_passwd(DEFAULT_PASSWORD); 3176 cryptfs_restart_internal(1); 3177 return 0; 3178 } else { 3179 sleep(2); /* Give the UI a chance to show 100% progress */ 3180 cryptfs_reboot(reboot); 3181 } 3182 } else { 3183 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 3184 cryptfs_reboot(shutdown); 3185 } 3186 } else { 3187 char value[PROPERTY_VALUE_MAX]; 3188 3189 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 3190 if (!strcmp(value, "1")) { 3191 /* wipe data if encryption failed */ 3192 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 3193 mkdir("/cache/recovery", 0700); 3194 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0600); 3195 if (fd >= 0) { 3196 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1); 3197 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1); 3198 close(fd); 3199 } else { 3200 SLOGE("could not open /cache/recovery/command\n"); 3201 } 3202 cryptfs_reboot(recovery); 3203 } else { 3204 /* set property to trigger dialog */ 3205 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3206 release_wake_lock(lockid); 3207 } 3208 return -1; 3209 } 3210 3211 /* hrm, the encrypt step claims success, but the reboot failed. 3212 * This should not happen. 3213 * Set the property and return. Hope the framework can deal with it. 3214 */ 3215 property_set("vold.encrypt_progress", "error_reboot_failed"); 3216 release_wake_lock(lockid); 3217 return rc; 3218 3219error_unencrypted: 3220 property_set("vold.encrypt_progress", "error_not_encrypted"); 3221 if (lockid[0]) { 3222 release_wake_lock(lockid); 3223 } 3224 return -1; 3225 3226error_shutting_down: 3227 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3228 * but the framework is stopped and not restarted to show the error, so it's up to 3229 * vold to restart the system. 3230 */ 3231 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3232 cryptfs_reboot(reboot); 3233 3234 /* shouldn't get here */ 3235 property_set("vold.encrypt_progress", "error_shutting_down"); 3236 if (lockid[0]) { 3237 release_wake_lock(lockid); 3238 } 3239 return -1; 3240} 3241 3242int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 3243{ 3244 char* adjusted_passwd = adjust_passwd(passwd); 3245 if (adjusted_passwd) { 3246 passwd = adjusted_passwd; 3247 } 3248 3249 int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 3250 3251 free(adjusted_passwd); 3252 return rc; 3253} 3254 3255int cryptfs_enable_default(char *howarg, int allow_reboot) 3256{ 3257 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3258 DEFAULT_PASSWORD, allow_reboot); 3259} 3260 3261int cryptfs_changepw(int crypt_type, const char *newpw) 3262{ 3263 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3264 return e4crypt_change_password(DATA_MNT_POINT, crypt_type, newpw); 3265 } 3266 3267 struct crypt_mnt_ftr crypt_ftr; 3268 int rc; 3269 3270 /* This is only allowed after we've successfully decrypted the master key */ 3271 if (!master_key_saved) { 3272 SLOGE("Key not saved, aborting"); 3273 return -1; 3274 } 3275 3276 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3277 SLOGE("Invalid crypt_type %d", crypt_type); 3278 return -1; 3279 } 3280 3281 /* get key */ 3282 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3283 SLOGE("Error getting crypt footer and key"); 3284 return -1; 3285 } 3286 3287 crypt_ftr.crypt_type = crypt_type; 3288 3289 char* adjusted_passwd = adjust_passwd(newpw); 3290 if (adjusted_passwd) { 3291 newpw = adjusted_passwd; 3292 } 3293 3294 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3295 : newpw, 3296 crypt_ftr.salt, 3297 saved_master_key, 3298 crypt_ftr.master_key, 3299 &crypt_ftr); 3300 free(adjusted_passwd); 3301 if (rc) { 3302 SLOGE("Encrypt master key failed: %d", rc); 3303 return -1; 3304 } 3305 /* save the key */ 3306 put_crypt_ftr_and_key(&crypt_ftr); 3307 3308#ifdef CONFIG_HW_DISK_ENCRYPTION 3309 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) { 3310 if (crypt_type == CRYPT_TYPE_DEFAULT) { 3311 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name); 3312 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc); 3313 if (!rc) 3314 return -1; 3315 } else { 3316 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name); 3317 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc); 3318 if (!rc) 3319 return -1; 3320 } 3321 } 3322#endif 3323 return 0; 3324} 3325 3326static unsigned int persist_get_max_entries(int encrypted) { 3327 struct crypt_mnt_ftr crypt_ftr; 3328 unsigned int dsize; 3329 unsigned int max_persistent_entries; 3330 3331 /* If encrypted, use the values from the crypt_ftr, otherwise 3332 * use the values for the current spec. 3333 */ 3334 if (encrypted) { 3335 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3336 return -1; 3337 } 3338 dsize = crypt_ftr.persist_data_size; 3339 } else { 3340 dsize = CRYPT_PERSIST_DATA_SIZE; 3341 } 3342 3343 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3344 sizeof(struct crypt_persist_entry); 3345 3346 return max_persistent_entries; 3347} 3348 3349static int persist_get_key(const char *fieldname, char *value) 3350{ 3351 unsigned int i; 3352 3353 if (persist_data == NULL) { 3354 return -1; 3355 } 3356 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3357 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3358 /* We found it! */ 3359 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3360 return 0; 3361 } 3362 } 3363 3364 return -1; 3365} 3366 3367static int persist_set_key(const char *fieldname, const char *value, int encrypted) 3368{ 3369 unsigned int i; 3370 unsigned int num; 3371 unsigned int max_persistent_entries; 3372 3373 if (persist_data == NULL) { 3374 return -1; 3375 } 3376 3377 max_persistent_entries = persist_get_max_entries(encrypted); 3378 3379 num = persist_data->persist_valid_entries; 3380 3381 for (i = 0; i < num; i++) { 3382 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3383 /* We found an existing entry, update it! */ 3384 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3385 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3386 return 0; 3387 } 3388 } 3389 3390 /* We didn't find it, add it to the end, if there is room */ 3391 if (persist_data->persist_valid_entries < max_persistent_entries) { 3392 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3393 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3394 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3395 persist_data->persist_valid_entries++; 3396 return 0; 3397 } 3398 3399 return -1; 3400} 3401 3402/** 3403 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the 3404 * sequence and its index is greater than or equal to index. Return 0 otherwise. 3405 */ 3406static int match_multi_entry(const char *key, const char *field, unsigned index) { 3407 unsigned int field_len; 3408 unsigned int key_index; 3409 field_len = strlen(field); 3410 3411 if (index == 0) { 3412 // The first key in a multi-entry field is just the filedname itself. 3413 if (!strcmp(key, field)) { 3414 return 1; 3415 } 3416 } 3417 // Match key against "%s_%d" % (field, index) 3418 if (strlen(key) < field_len + 1 + 1) { 3419 // Need at least a '_' and a digit. 3420 return 0; 3421 } 3422 if (strncmp(key, field, field_len)) { 3423 // If the key does not begin with field, it's not a match. 3424 return 0; 3425 } 3426 if (1 != sscanf(&key[field_len],"_%d", &key_index)) { 3427 return 0; 3428 } 3429 return key_index >= index; 3430} 3431 3432/* 3433 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all 3434 * remaining entries starting from index will be deleted. 3435 * returns PERSIST_DEL_KEY_OK if deletion succeeds, 3436 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist, 3437 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs. 3438 * 3439 */ 3440static int persist_del_keys(const char *fieldname, unsigned index) 3441{ 3442 unsigned int i; 3443 unsigned int j; 3444 unsigned int num; 3445 3446 if (persist_data == NULL) { 3447 return PERSIST_DEL_KEY_ERROR_OTHER; 3448 } 3449 3450 num = persist_data->persist_valid_entries; 3451 3452 j = 0; // points to the end of non-deleted entries. 3453 // Filter out to-be-deleted entries in place. 3454 for (i = 0; i < num; i++) { 3455 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) { 3456 persist_data->persist_entry[j] = persist_data->persist_entry[i]; 3457 j++; 3458 } 3459 } 3460 3461 if (j < num) { 3462 persist_data->persist_valid_entries = j; 3463 // Zeroise the remaining entries 3464 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry)); 3465 return PERSIST_DEL_KEY_OK; 3466 } else { 3467 // Did not find an entry matching the given fieldname 3468 return PERSIST_DEL_KEY_ERROR_NO_FIELD; 3469 } 3470} 3471 3472static int persist_count_keys(const char *fieldname) 3473{ 3474 unsigned int i; 3475 unsigned int count; 3476 3477 if (persist_data == NULL) { 3478 return -1; 3479 } 3480 3481 count = 0; 3482 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3483 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) { 3484 count++; 3485 } 3486 } 3487 3488 return count; 3489} 3490 3491/* Return the value of the specified field. */ 3492int cryptfs_getfield(const char *fieldname, char *value, int len) 3493{ 3494 char temp_value[PROPERTY_VALUE_MAX]; 3495 /* CRYPTO_GETFIELD_OK is success, 3496 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set, 3497 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small, 3498 * CRYPTO_GETFIELD_ERROR_OTHER is any other error 3499 */ 3500 int rc = CRYPTO_GETFIELD_ERROR_OTHER; 3501 int i; 3502 char temp_field[PROPERTY_KEY_MAX]; 3503 3504 if (persist_data == NULL) { 3505 load_persistent_data(); 3506 if (persist_data == NULL) { 3507 SLOGE("Getfield error, cannot load persistent data"); 3508 goto out; 3509 } 3510 } 3511 3512 // Read value from persistent entries. If the original value is split into multiple entries, 3513 // stitch them back together. 3514 if (!persist_get_key(fieldname, temp_value)) { 3515 // We found it, copy it to the caller's buffer and keep going until all entries are read. 3516 if (strlcpy(value, temp_value, len) >= (unsigned) len) { 3517 // value too small 3518 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3519 goto out; 3520 } 3521 rc = CRYPTO_GETFIELD_OK; 3522 3523 for (i = 1; /* break explicitly */; i++) { 3524 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >= 3525 (int) sizeof(temp_field)) { 3526 // If the fieldname is very long, we stop as soon as it begins to overflow the 3527 // maximum field length. At this point we have in fact fully read out the original 3528 // value because cryptfs_setfield would not allow fields with longer names to be 3529 // written in the first place. 3530 break; 3531 } 3532 if (!persist_get_key(temp_field, temp_value)) { 3533 if (strlcat(value, temp_value, len) >= (unsigned)len) { 3534 // value too small. 3535 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3536 goto out; 3537 } 3538 } else { 3539 // Exhaust all entries. 3540 break; 3541 } 3542 } 3543 } else { 3544 /* Sadness, it's not there. Return the error */ 3545 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD; 3546 } 3547 3548out: 3549 return rc; 3550} 3551 3552/* Set the value of the specified field. */ 3553int cryptfs_setfield(const char *fieldname, const char *value) 3554{ 3555 char encrypted_state[PROPERTY_VALUE_MAX]; 3556 /* 0 is success, negative values are error */ 3557 int rc = CRYPTO_SETFIELD_ERROR_OTHER; 3558 int encrypted = 0; 3559 unsigned int field_id; 3560 char temp_field[PROPERTY_KEY_MAX]; 3561 unsigned int num_entries; 3562 unsigned int max_keylen; 3563 3564 if (persist_data == NULL) { 3565 load_persistent_data(); 3566 if (persist_data == NULL) { 3567 SLOGE("Setfield error, cannot load persistent data"); 3568 goto out; 3569 } 3570 } 3571 3572 property_get("ro.crypto.state", encrypted_state, ""); 3573 if (!strcmp(encrypted_state, "encrypted") ) { 3574 encrypted = 1; 3575 } 3576 3577 // Compute the number of entries required to store value, each entry can store up to 3578 // (PROPERTY_VALUE_MAX - 1) chars 3579 if (strlen(value) == 0) { 3580 // Empty value also needs one entry to store. 3581 num_entries = 1; 3582 } else { 3583 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1); 3584 } 3585 3586 max_keylen = strlen(fieldname); 3587 if (num_entries > 1) { 3588 // Need an extra "_%d" suffix. 3589 max_keylen += 1 + log10(num_entries); 3590 } 3591 if (max_keylen > PROPERTY_KEY_MAX - 1) { 3592 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG; 3593 goto out; 3594 } 3595 3596 // Make sure we have enough space to write the new value 3597 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) > 3598 persist_get_max_entries(encrypted)) { 3599 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG; 3600 goto out; 3601 } 3602 3603 // Now that we know persist_data has enough space for value, let's delete the old field first 3604 // to make up space. 3605 persist_del_keys(fieldname, 0); 3606 3607 if (persist_set_key(fieldname, value, encrypted)) { 3608 // fail to set key, should not happen as we have already checked the available space 3609 SLOGE("persist_set_key() error during setfield()"); 3610 goto out; 3611 } 3612 3613 for (field_id = 1; field_id < num_entries; field_id++) { 3614 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id); 3615 3616 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) { 3617 // fail to set key, should not happen as we have already checked the available space. 3618 SLOGE("persist_set_key() error during setfield()"); 3619 goto out; 3620 } 3621 } 3622 3623 /* If we are running encrypted, save the persistent data now */ 3624 if (encrypted) { 3625 if (save_persistent_data()) { 3626 SLOGE("Setfield error, cannot save persistent data"); 3627 goto out; 3628 } 3629 } 3630 3631 rc = CRYPTO_SETFIELD_OK; 3632 3633out: 3634 return rc; 3635} 3636 3637/* Checks userdata. Attempt to mount the volume if default- 3638 * encrypted. 3639 * On success trigger next init phase and return 0. 3640 * Currently do not handle failure - see TODO below. 3641 */ 3642int cryptfs_mount_default_encrypted(void) 3643{ 3644 char decrypt_state[PROPERTY_VALUE_MAX]; 3645 property_get("vold.decrypt", decrypt_state, "0"); 3646 if (!strcmp(decrypt_state, "0")) { 3647 SLOGE("Not encrypted - should not call here"); 3648 } else { 3649 int crypt_type = cryptfs_get_password_type(); 3650 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3651 SLOGE("Bad crypt type - error"); 3652 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3653 SLOGD("Password is not default - " 3654 "starting min framework to prompt"); 3655 property_set("vold.decrypt", "trigger_restart_min_framework"); 3656 return 0; 3657 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3658 SLOGD("Password is default - restarting filesystem"); 3659 cryptfs_restart_internal(0); 3660 return 0; 3661 } else { 3662 SLOGE("Encrypted, default crypt type but can't decrypt"); 3663 } 3664 } 3665 3666 /** Corrupt. Allow us to boot into framework, which will detect bad 3667 crypto when it calls do_crypto_complete, then do a factory reset 3668 */ 3669 property_set("vold.decrypt", "trigger_restart_min_framework"); 3670 return 0; 3671} 3672 3673/* Returns type of the password, default, pattern, pin or password. 3674 */ 3675int cryptfs_get_password_type(void) 3676{ 3677 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3678 return e4crypt_get_password_type(DATA_MNT_POINT); 3679 } 3680 3681 struct crypt_mnt_ftr crypt_ftr; 3682 3683 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3684 SLOGE("Error getting crypt footer and key\n"); 3685 return -1; 3686 } 3687 3688 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3689 return -1; 3690 } 3691 3692 return crypt_ftr.crypt_type; 3693} 3694 3695const char* cryptfs_get_password() 3696{ 3697 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3698 return e4crypt_get_password(DATA_MNT_POINT); 3699 } 3700 3701 struct timespec now; 3702 clock_gettime(CLOCK_BOOTTIME, &now); 3703 if (now.tv_sec < password_expiry_time) { 3704 return password; 3705 } else { 3706 cryptfs_clear_password(); 3707 return 0; 3708 } 3709} 3710 3711void cryptfs_clear_password() 3712{ 3713 if (password) { 3714 size_t len = strlen(password); 3715 memset(password, 0, len); 3716 free(password); 3717 password = 0; 3718 password_expiry_time = 0; 3719 } 3720} 3721 3722int cryptfs_enable_file() 3723{ 3724 return e4crypt_enable(DATA_MNT_POINT); 3725} 3726 3727int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length) 3728{ 3729 if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) { 3730 SLOGE("Failed to initialize crypt_ftr"); 3731 return -1; 3732 } 3733 3734 if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key, 3735 crypt_ftr->salt, crypt_ftr)) { 3736 SLOGE("Cannot create encrypted master key\n"); 3737 return -1; 3738 } 3739 3740 //crypt_ftr->keysize = key_length / 8; 3741 return 0; 3742} 3743 3744int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password, 3745 unsigned char* master_key) 3746{ 3747 int rc; 3748 3749 // ext4enc:TODO check intermediate_key to see if this is valid key 3750 unsigned char* intermediate_key = 0; 3751 size_t intermediate_key_size = 0; 3752 rc = decrypt_master_key(password, master_key, ftr, &intermediate_key, 3753 &intermediate_key_size); 3754 3755 return rc; 3756} 3757 3758int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password, 3759 const unsigned char* master_key) 3760{ 3761 return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key, 3762 ftr); 3763} 3764