cryptfs.c revision 74f29f1df7d12c0cc06e9d6685adf15e757d8eda
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <errno.h> 40#include <ext4.h> 41#include <linux/kdev_t.h> 42#include <fs_mgr.h> 43#include "cryptfs.h" 44#define LOG_TAG "Cryptfs" 45#include "cutils/log.h" 46#include "cutils/properties.h" 47#include "cutils/android_reboot.h" 48#include "hardware_legacy/power.h" 49#include <logwrap/logwrap.h> 50#include "VolumeManager.h" 51#include "VoldUtil.h" 52#include "crypto_scrypt.h" 53#include "ext4_utils.h" 54#include "f2fs_sparseblock.h" 55#include "CheckBattery.h" 56 57#include <hardware/keymaster.h> 58 59#define UNUSED __attribute__((unused)) 60 61#define UNUSED __attribute__((unused)) 62 63#define DM_CRYPT_BUF_SIZE 4096 64 65#define HASH_COUNT 2000 66#define KEY_LEN_BYTES 16 67#define IV_LEN_BYTES 16 68 69#define KEY_IN_FOOTER "footer" 70 71// "default_password" encoded into hex (d=0x64 etc) 72#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264" 73 74#define EXT4_FS 1 75#define F2FS_FS 2 76 77#define TABLE_LOAD_RETRIES 10 78 79#define RSA_DEFAULT_KEY_SIZE 2048 80#define RSA_DEFAULT_EXPONENT 0x10001 81 82char *me = "cryptfs"; 83 84static unsigned char saved_master_key[KEY_LEN_BYTES]; 85static char *saved_mount_point; 86static int master_key_saved = 0; 87static struct crypt_persist_data *persist_data = NULL; 88 89static int keymaster_init(keymaster_device_t **keymaster_dev) 90{ 91 int rc; 92 93 const hw_module_t* mod; 94 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 95 if (rc) { 96 ALOGE("could not find any keystore module"); 97 goto out; 98 } 99 100 rc = keymaster_open(mod, keymaster_dev); 101 if (rc) { 102 ALOGE("could not open keymaster device in %s (%s)", 103 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 104 goto out; 105 } 106 107 return 0; 108 109out: 110 *keymaster_dev = NULL; 111 return rc; 112} 113 114/* Should we use keymaster? */ 115static int keymaster_check_compatibility() 116{ 117 keymaster_device_t *keymaster_dev = 0; 118 int rc = 0; 119 120 if (keymaster_init(&keymaster_dev)) { 121 SLOGE("Failed to init keymaster"); 122 rc = -1; 123 goto out; 124 } 125 126 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version); 127 128 if (keymaster_dev->common.module->module_api_version 129 < KEYMASTER_MODULE_API_VERSION_0_3) { 130 rc = 0; 131 goto out; 132 } 133 134 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) { 135 rc = 1; 136 } 137 138out: 139 keymaster_close(keymaster_dev); 140 return rc; 141} 142 143/* Create a new keymaster key and store it in this footer */ 144static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 145{ 146 uint8_t* key = 0; 147 keymaster_device_t *keymaster_dev = 0; 148 149 if (keymaster_init(&keymaster_dev)) { 150 SLOGE("Failed to init keymaster"); 151 return -1; 152 } 153 154 int rc = 0; 155 156 keymaster_rsa_keygen_params_t params; 157 memset(¶ms, '\0', sizeof(params)); 158 params.public_exponent = RSA_DEFAULT_EXPONENT; 159 params.modulus_size = RSA_DEFAULT_KEY_SIZE; 160 161 size_t key_size; 162 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms, 163 &key, &key_size)) { 164 SLOGE("Failed to generate keypair"); 165 rc = -1; 166 goto out; 167 } 168 169 if (key_size > KEYMASTER_BLOB_SIZE) { 170 SLOGE("Keymaster key too large for crypto footer"); 171 rc = -1; 172 goto out; 173 } 174 175 memcpy(ftr->keymaster_blob, key, key_size); 176 ftr->keymaster_blob_size = key_size; 177 178out: 179 keymaster_close(keymaster_dev); 180 free(key); 181 return rc; 182} 183 184/* This signs the given object using the keymaster key */ 185static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 186 const unsigned char *object, 187 const size_t object_size, 188 unsigned char **signature, 189 size_t *signature_size) 190{ 191 int rc = 0; 192 keymaster_device_t *keymaster_dev = 0; 193 if (keymaster_init(&keymaster_dev)) { 194 SLOGE("Failed to init keymaster"); 195 return -1; 196 } 197 198 /* We currently set the digest type to DIGEST_NONE because it's the 199 * only supported value for keymaster. A similar issue exists with 200 * PADDING_NONE. Long term both of these should likely change. 201 */ 202 keymaster_rsa_sign_params_t params; 203 params.digest_type = DIGEST_NONE; 204 params.padding_type = PADDING_NONE; 205 206 rc = keymaster_dev->sign_data(keymaster_dev, 207 ¶ms, 208 ftr->keymaster_blob, 209 ftr->keymaster_blob_size, 210 object, 211 object_size, 212 signature, 213 signature_size); 214 215 keymaster_close(keymaster_dev); 216 return rc; 217} 218 219/* Store password when userdata is successfully decrypted and mounted. 220 * Cleared by cryptfs_clear_password 221 * 222 * To avoid a double prompt at boot, we need to store the CryptKeeper 223 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 224 * Since the entire framework is torn down and rebuilt after encryption, 225 * we have to use a daemon or similar to store the password. Since vold 226 * is secured against IPC except from system processes, it seems a reasonable 227 * place to store this. 228 * 229 * password should be cleared once it has been used. 230 * 231 * password is aged out after password_max_age_seconds seconds. 232 */ 233static char* password = 0; 234static int password_expiry_time = 0; 235static const int password_max_age_seconds = 60; 236 237extern struct fstab *fstab; 238 239enum RebootType {reboot, recovery, shutdown}; 240static void cryptfs_reboot(enum RebootType rt) 241{ 242 switch(rt) { 243 case reboot: 244 property_set(ANDROID_RB_PROPERTY, "reboot"); 245 break; 246 247 case recovery: 248 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 249 break; 250 251 case shutdown: 252 property_set(ANDROID_RB_PROPERTY, "shutdown"); 253 break; 254 } 255 256 sleep(20); 257 258 /* Shouldn't get here, reboot should happen before sleep times out */ 259 return; 260} 261 262static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 263{ 264 memset(io, 0, dataSize); 265 io->data_size = dataSize; 266 io->data_start = sizeof(struct dm_ioctl); 267 io->version[0] = 4; 268 io->version[1] = 0; 269 io->version[2] = 0; 270 io->flags = flags; 271 if (name) { 272 strncpy(io->name, name, sizeof(io->name)); 273 } 274} 275 276/** 277 * Gets the default device scrypt parameters for key derivation time tuning. 278 * The parameters should lead to about one second derivation time for the 279 * given device. 280 */ 281static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 282 const int default_params[] = SCRYPT_DEFAULTS; 283 int params[] = SCRYPT_DEFAULTS; 284 char paramstr[PROPERTY_VALUE_MAX]; 285 char *token; 286 char *saveptr; 287 int i; 288 289 property_get(SCRYPT_PROP, paramstr, ""); 290 if (paramstr[0] != '\0') { 291 /* 292 * The token we're looking for should be three integers separated by 293 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 294 */ 295 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 296 token != NULL && i < 3; 297 i++, token = strtok_r(NULL, ":", &saveptr)) { 298 char *endptr; 299 params[i] = strtol(token, &endptr, 10); 300 301 /* 302 * Check that there was a valid number and it's 8-bit. If not, 303 * break out and the end check will take the default values. 304 */ 305 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 306 break; 307 } 308 } 309 310 /* 311 * If there were not enough tokens or a token was malformed (not an 312 * integer), it will end up here and the default parameters can be 313 * taken. 314 */ 315 if ((i != 3) || (token != NULL)) { 316 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 317 memcpy(params, default_params, sizeof(params)); 318 } 319 } 320 321 ftr->N_factor = params[0]; 322 ftr->r_factor = params[1]; 323 ftr->p_factor = params[2]; 324} 325 326static unsigned int get_fs_size(char *dev) 327{ 328 int fd, block_size; 329 struct ext4_super_block sb; 330 off64_t len; 331 332 if ((fd = open(dev, O_RDONLY)) < 0) { 333 SLOGE("Cannot open device to get filesystem size "); 334 return 0; 335 } 336 337 if (lseek64(fd, 1024, SEEK_SET) < 0) { 338 SLOGE("Cannot seek to superblock"); 339 return 0; 340 } 341 342 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 343 SLOGE("Cannot read superblock"); 344 return 0; 345 } 346 347 close(fd); 348 349 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 350 SLOGE("Not a valid ext4 superblock"); 351 return 0; 352 } 353 block_size = 1024 << sb.s_log_block_size; 354 /* compute length in bytes */ 355 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 356 357 /* return length in sectors */ 358 return (unsigned int) (len / 512); 359} 360 361static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 362{ 363 static int cached_data = 0; 364 static off64_t cached_off = 0; 365 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 366 int fd; 367 char key_loc[PROPERTY_VALUE_MAX]; 368 char real_blkdev[PROPERTY_VALUE_MAX]; 369 unsigned int nr_sec; 370 int rc = -1; 371 372 if (!cached_data) { 373 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 374 375 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 376 if ( (fd = open(real_blkdev, O_RDWR)) < 0) { 377 SLOGE("Cannot open real block device %s\n", real_blkdev); 378 return -1; 379 } 380 381 if ((nr_sec = get_blkdev_size(fd))) { 382 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 383 * encryption info footer and key, and plenty of bytes to spare for future 384 * growth. 385 */ 386 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 387 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 388 cached_data = 1; 389 } else { 390 SLOGE("Cannot get size of block device %s\n", real_blkdev); 391 } 392 close(fd); 393 } else { 394 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 395 cached_off = 0; 396 cached_data = 1; 397 } 398 } 399 400 if (cached_data) { 401 if (metadata_fname) { 402 *metadata_fname = cached_metadata_fname; 403 } 404 if (off) { 405 *off = cached_off; 406 } 407 rc = 0; 408 } 409 410 return rc; 411} 412 413/* key or salt can be NULL, in which case just skip writing that value. Useful to 414 * update the failed mount count but not change the key. 415 */ 416static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 417{ 418 int fd; 419 unsigned int nr_sec, cnt; 420 /* starting_off is set to the SEEK_SET offset 421 * where the crypto structure starts 422 */ 423 off64_t starting_off; 424 int rc = -1; 425 char *fname = NULL; 426 struct stat statbuf; 427 428 if (get_crypt_ftr_info(&fname, &starting_off)) { 429 SLOGE("Unable to get crypt_ftr_info\n"); 430 return -1; 431 } 432 if (fname[0] != '/') { 433 SLOGE("Unexpected value for crypto key location\n"); 434 return -1; 435 } 436 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) { 437 SLOGE("Cannot open footer file %s for put\n", fname); 438 return -1; 439 } 440 441 /* Seek to the start of the crypt footer */ 442 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 443 SLOGE("Cannot seek to real block device footer\n"); 444 goto errout; 445 } 446 447 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 448 SLOGE("Cannot write real block device footer\n"); 449 goto errout; 450 } 451 452 fstat(fd, &statbuf); 453 /* If the keys are kept on a raw block device, do not try to truncate it. */ 454 if (S_ISREG(statbuf.st_mode)) { 455 if (ftruncate(fd, 0x4000)) { 456 SLOGE("Cannot set footer file size\n"); 457 goto errout; 458 } 459 } 460 461 /* Success! */ 462 rc = 0; 463 464errout: 465 close(fd); 466 return rc; 467 468} 469 470static inline int unix_read(int fd, void* buff, int len) 471{ 472 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 473} 474 475static inline int unix_write(int fd, const void* buff, int len) 476{ 477 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 478} 479 480static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 481{ 482 memset(pdata, 0, len); 483 pdata->persist_magic = PERSIST_DATA_MAGIC; 484 pdata->persist_valid_entries = 0; 485} 486 487/* A routine to update the passed in crypt_ftr to the lastest version. 488 * fd is open read/write on the device that holds the crypto footer and persistent 489 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 490 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 491 */ 492static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 493{ 494 int orig_major = crypt_ftr->major_version; 495 int orig_minor = crypt_ftr->minor_version; 496 497 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 498 struct crypt_persist_data *pdata; 499 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 500 501 SLOGW("upgrading crypto footer to 1.1"); 502 503 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 504 if (pdata == NULL) { 505 SLOGE("Cannot allocate persisent data\n"); 506 return; 507 } 508 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 509 510 /* Need to initialize the persistent data area */ 511 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 512 SLOGE("Cannot seek to persisent data offset\n"); 513 return; 514 } 515 /* Write all zeros to the first copy, making it invalid */ 516 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 517 518 /* Write a valid but empty structure to the second copy */ 519 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 520 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 521 522 /* Update the footer */ 523 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 524 crypt_ftr->persist_data_offset[0] = pdata_offset; 525 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 526 crypt_ftr->minor_version = 1; 527 } 528 529 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 530 SLOGW("upgrading crypto footer to 1.2"); 531 /* But keep the old kdf_type. 532 * It will get updated later to KDF_SCRYPT after the password has been verified. 533 */ 534 crypt_ftr->kdf_type = KDF_PBKDF2; 535 get_device_scrypt_params(crypt_ftr); 536 crypt_ftr->minor_version = 2; 537 } 538 539 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 540 SLOGW("upgrading crypto footer to 1.3"); 541 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 542 crypt_ftr->minor_version = 3; 543 } 544 545 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 546 if (lseek64(fd, offset, SEEK_SET) == -1) { 547 SLOGE("Cannot seek to crypt footer\n"); 548 return; 549 } 550 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 551 } 552} 553 554 555static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 556{ 557 int fd; 558 unsigned int nr_sec, cnt; 559 off64_t starting_off; 560 int rc = -1; 561 char *fname = NULL; 562 struct stat statbuf; 563 564 if (get_crypt_ftr_info(&fname, &starting_off)) { 565 SLOGE("Unable to get crypt_ftr_info\n"); 566 return -1; 567 } 568 if (fname[0] != '/') { 569 SLOGE("Unexpected value for crypto key location\n"); 570 return -1; 571 } 572 if ( (fd = open(fname, O_RDWR)) < 0) { 573 SLOGE("Cannot open footer file %s for get\n", fname); 574 return -1; 575 } 576 577 /* Make sure it's 16 Kbytes in length */ 578 fstat(fd, &statbuf); 579 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 580 SLOGE("footer file %s is not the expected size!\n", fname); 581 goto errout; 582 } 583 584 /* Seek to the start of the crypt footer */ 585 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 586 SLOGE("Cannot seek to real block device footer\n"); 587 goto errout; 588 } 589 590 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 591 SLOGE("Cannot read real block device footer\n"); 592 goto errout; 593 } 594 595 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 596 SLOGE("Bad magic for real block device %s\n", fname); 597 goto errout; 598 } 599 600 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 601 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 602 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 603 goto errout; 604 } 605 606 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 607 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 608 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 609 } 610 611 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 612 * copy on disk before returning. 613 */ 614 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 615 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 616 } 617 618 /* Success! */ 619 rc = 0; 620 621errout: 622 close(fd); 623 return rc; 624} 625 626static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 627{ 628 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 629 crypt_ftr->persist_data_offset[1]) { 630 SLOGE("Crypt_ftr persist data regions overlap"); 631 return -1; 632 } 633 634 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 635 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 636 return -1; 637 } 638 639 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 640 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 641 CRYPT_FOOTER_OFFSET) { 642 SLOGE("Persistent data extends past crypto footer"); 643 return -1; 644 } 645 646 return 0; 647} 648 649static int load_persistent_data(void) 650{ 651 struct crypt_mnt_ftr crypt_ftr; 652 struct crypt_persist_data *pdata = NULL; 653 char encrypted_state[PROPERTY_VALUE_MAX]; 654 char *fname; 655 int found = 0; 656 int fd; 657 int ret; 658 int i; 659 660 if (persist_data) { 661 /* Nothing to do, we've already loaded or initialized it */ 662 return 0; 663 } 664 665 666 /* If not encrypted, just allocate an empty table and initialize it */ 667 property_get("ro.crypto.state", encrypted_state, ""); 668 if (strcmp(encrypted_state, "encrypted") ) { 669 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 670 if (pdata) { 671 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 672 persist_data = pdata; 673 return 0; 674 } 675 return -1; 676 } 677 678 if(get_crypt_ftr_and_key(&crypt_ftr)) { 679 return -1; 680 } 681 682 if ((crypt_ftr.major_version < 1) 683 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 684 SLOGE("Crypt_ftr version doesn't support persistent data"); 685 return -1; 686 } 687 688 if (get_crypt_ftr_info(&fname, NULL)) { 689 return -1; 690 } 691 692 ret = validate_persistent_data_storage(&crypt_ftr); 693 if (ret) { 694 return -1; 695 } 696 697 fd = open(fname, O_RDONLY); 698 if (fd < 0) { 699 SLOGE("Cannot open %s metadata file", fname); 700 return -1; 701 } 702 703 if (persist_data == NULL) { 704 pdata = malloc(crypt_ftr.persist_data_size); 705 if (pdata == NULL) { 706 SLOGE("Cannot allocate memory for persistent data"); 707 goto err; 708 } 709 } 710 711 for (i = 0; i < 2; i++) { 712 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 713 SLOGE("Cannot seek to read persistent data on %s", fname); 714 goto err2; 715 } 716 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 717 SLOGE("Error reading persistent data on iteration %d", i); 718 goto err2; 719 } 720 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 721 found = 1; 722 break; 723 } 724 } 725 726 if (!found) { 727 SLOGI("Could not find valid persistent data, creating"); 728 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 729 } 730 731 /* Success */ 732 persist_data = pdata; 733 close(fd); 734 return 0; 735 736err2: 737 free(pdata); 738 739err: 740 close(fd); 741 return -1; 742} 743 744static int save_persistent_data(void) 745{ 746 struct crypt_mnt_ftr crypt_ftr; 747 struct crypt_persist_data *pdata; 748 char *fname; 749 off64_t write_offset; 750 off64_t erase_offset; 751 int found = 0; 752 int fd; 753 int ret; 754 755 if (persist_data == NULL) { 756 SLOGE("No persistent data to save"); 757 return -1; 758 } 759 760 if(get_crypt_ftr_and_key(&crypt_ftr)) { 761 return -1; 762 } 763 764 if ((crypt_ftr.major_version < 1) 765 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 766 SLOGE("Crypt_ftr version doesn't support persistent data"); 767 return -1; 768 } 769 770 ret = validate_persistent_data_storage(&crypt_ftr); 771 if (ret) { 772 return -1; 773 } 774 775 if (get_crypt_ftr_info(&fname, NULL)) { 776 return -1; 777 } 778 779 fd = open(fname, O_RDWR); 780 if (fd < 0) { 781 SLOGE("Cannot open %s metadata file", fname); 782 return -1; 783 } 784 785 pdata = malloc(crypt_ftr.persist_data_size); 786 if (pdata == NULL) { 787 SLOGE("Cannot allocate persistant data"); 788 goto err; 789 } 790 791 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 792 SLOGE("Cannot seek to read persistent data on %s", fname); 793 goto err2; 794 } 795 796 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 797 SLOGE("Error reading persistent data before save"); 798 goto err2; 799 } 800 801 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 802 /* The first copy is the curent valid copy, so write to 803 * the second copy and erase this one */ 804 write_offset = crypt_ftr.persist_data_offset[1]; 805 erase_offset = crypt_ftr.persist_data_offset[0]; 806 } else { 807 /* The second copy must be the valid copy, so write to 808 * the first copy, and erase the second */ 809 write_offset = crypt_ftr.persist_data_offset[0]; 810 erase_offset = crypt_ftr.persist_data_offset[1]; 811 } 812 813 /* Write the new copy first, if successful, then erase the old copy */ 814 if (lseek(fd, write_offset, SEEK_SET) < 0) { 815 SLOGE("Cannot seek to write persistent data"); 816 goto err2; 817 } 818 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 819 (int) crypt_ftr.persist_data_size) { 820 if (lseek(fd, erase_offset, SEEK_SET) < 0) { 821 SLOGE("Cannot seek to erase previous persistent data"); 822 goto err2; 823 } 824 fsync(fd); 825 memset(pdata, 0, crypt_ftr.persist_data_size); 826 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 827 (int) crypt_ftr.persist_data_size) { 828 SLOGE("Cannot write to erase previous persistent data"); 829 goto err2; 830 } 831 fsync(fd); 832 } else { 833 SLOGE("Cannot write to save persistent data"); 834 goto err2; 835 } 836 837 /* Success */ 838 free(pdata); 839 close(fd); 840 return 0; 841 842err2: 843 free(pdata); 844err: 845 close(fd); 846 return -1; 847} 848 849static int hexdigit (char c) 850{ 851 if (c >= '0' && c <= '9') return c - '0'; 852 c = tolower(c); 853 if (c >= 'a' && c <= 'f') return c - 'a' + 10; 854 return -1; 855} 856 857static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii, 858 unsigned int* out_keysize) 859{ 860 unsigned int i; 861 *out_keysize = 0; 862 863 size_t size = strlen (master_key_ascii); 864 if (size % 2) { 865 SLOGE("Trying to convert ascii string of odd length"); 866 return NULL; 867 } 868 869 unsigned char* master_key = (unsigned char*) malloc(size / 2); 870 if (master_key == 0) { 871 SLOGE("Cannot allocate"); 872 return NULL; 873 } 874 875 for (i = 0; i < size; i += 2) { 876 int high_nibble = hexdigit (master_key_ascii[i]); 877 int low_nibble = hexdigit (master_key_ascii[i + 1]); 878 879 if(high_nibble < 0 || low_nibble < 0) { 880 SLOGE("Invalid hex string"); 881 free (master_key); 882 return NULL; 883 } 884 885 master_key[*out_keysize] = high_nibble * 16 + low_nibble; 886 (*out_keysize)++; 887 } 888 889 return master_key; 890} 891 892/* Convert a binary key of specified length into an ascii hex string equivalent, 893 * without the leading 0x and with null termination 894 */ 895static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize, 896 char *master_key_ascii) 897{ 898 unsigned int i, a; 899 unsigned char nibble; 900 901 for (i=0, a=0; i<keysize; i++, a+=2) { 902 /* For each byte, write out two ascii hex digits */ 903 nibble = (master_key[i] >> 4) & 0xf; 904 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 905 906 nibble = master_key[i] & 0xf; 907 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 908 } 909 910 /* Add the null termination */ 911 master_key_ascii[a] = '\0'; 912 913} 914 915static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 916 char *real_blk_name, const char *name, int fd, 917 char *extra_params) 918{ 919 char buffer[DM_CRYPT_BUF_SIZE]; 920 struct dm_ioctl *io; 921 struct dm_target_spec *tgt; 922 char *crypt_params; 923 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 924 int i; 925 926 io = (struct dm_ioctl *) buffer; 927 928 /* Load the mapping table for this device */ 929 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 930 931 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 932 io->target_count = 1; 933 tgt->status = 0; 934 tgt->sector_start = 0; 935 tgt->length = crypt_ftr->fs_size; 936 strcpy(tgt->target_type, "crypt"); 937 938 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 939 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 940 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 941 master_key_ascii, real_blk_name, extra_params); 942 crypt_params += strlen(crypt_params) + 1; 943 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 944 tgt->next = crypt_params - buffer; 945 946 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 947 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 948 break; 949 } 950 usleep(500000); 951 } 952 953 if (i == TABLE_LOAD_RETRIES) { 954 /* We failed to load the table, return an error */ 955 return -1; 956 } else { 957 return i + 1; 958 } 959} 960 961 962static int get_dm_crypt_version(int fd, const char *name, int *version) 963{ 964 char buffer[DM_CRYPT_BUF_SIZE]; 965 struct dm_ioctl *io; 966 struct dm_target_versions *v; 967 int i; 968 969 io = (struct dm_ioctl *) buffer; 970 971 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 972 973 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 974 return -1; 975 } 976 977 /* Iterate over the returned versions, looking for name of "crypt". 978 * When found, get and return the version. 979 */ 980 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 981 while (v->next) { 982 if (! strcmp(v->name, "crypt")) { 983 /* We found the crypt driver, return the version, and get out */ 984 version[0] = v->version[0]; 985 version[1] = v->version[1]; 986 version[2] = v->version[2]; 987 return 0; 988 } 989 v = (struct dm_target_versions *)(((char *)v) + v->next); 990 } 991 992 return -1; 993} 994 995static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 996 char *real_blk_name, char *crypto_blk_name, const char *name) 997{ 998 char buffer[DM_CRYPT_BUF_SIZE]; 999 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 1000 char *crypt_params; 1001 struct dm_ioctl *io; 1002 struct dm_target_spec *tgt; 1003 unsigned int minor; 1004 int fd; 1005 int i; 1006 int retval = -1; 1007 int version[3]; 1008 char *extra_params; 1009 int load_count; 1010 1011 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1012 SLOGE("Cannot open device-mapper\n"); 1013 goto errout; 1014 } 1015 1016 io = (struct dm_ioctl *) buffer; 1017 1018 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1019 if (ioctl(fd, DM_DEV_CREATE, io)) { 1020 SLOGE("Cannot create dm-crypt device\n"); 1021 goto errout; 1022 } 1023 1024 /* Get the device status, in particular, the name of it's device file */ 1025 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1026 if (ioctl(fd, DM_DEV_STATUS, io)) { 1027 SLOGE("Cannot retrieve dm-crypt device status\n"); 1028 goto errout; 1029 } 1030 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1031 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1032 1033 extra_params = ""; 1034 if (! get_dm_crypt_version(fd, name, version)) { 1035 /* Support for allow_discards was added in version 1.11.0 */ 1036 if ((version[0] >= 2) || 1037 ((version[0] == 1) && (version[1] >= 11))) { 1038 extra_params = "1 allow_discards"; 1039 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1040 } 1041 } 1042 1043 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1044 fd, extra_params); 1045 if (load_count < 0) { 1046 SLOGE("Cannot load dm-crypt mapping table.\n"); 1047 goto errout; 1048 } else if (load_count > 1) { 1049 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1050 } 1051 1052 /* Resume this device to activate it */ 1053 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1054 1055 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1056 SLOGE("Cannot resume the dm-crypt device\n"); 1057 goto errout; 1058 } 1059 1060 /* We made it here with no errors. Woot! */ 1061 retval = 0; 1062 1063errout: 1064 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1065 1066 return retval; 1067} 1068 1069static int delete_crypto_blk_dev(char *name) 1070{ 1071 int fd; 1072 char buffer[DM_CRYPT_BUF_SIZE]; 1073 struct dm_ioctl *io; 1074 int retval = -1; 1075 1076 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1077 SLOGE("Cannot open device-mapper\n"); 1078 goto errout; 1079 } 1080 1081 io = (struct dm_ioctl *) buffer; 1082 1083 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1084 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1085 SLOGE("Cannot remove dm-crypt device\n"); 1086 goto errout; 1087 } 1088 1089 /* We made it here with no errors. Woot! */ 1090 retval = 0; 1091 1092errout: 1093 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1094 1095 return retval; 1096 1097} 1098 1099static int pbkdf2(const char *passwd, const unsigned char *salt, 1100 unsigned char *ikey, void *params UNUSED) 1101{ 1102 SLOGI("Using pbkdf2 for cryptfs KDF"); 1103 1104 /* Turn the password into a key and IV that can decrypt the master key */ 1105 unsigned int keysize; 1106 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize); 1107 if (!master_key) return -1; 1108 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN, 1109 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1110 1111 memset(master_key, 0, keysize); 1112 free (master_key); 1113 return 0; 1114} 1115 1116static int scrypt(const char *passwd, const unsigned char *salt, 1117 unsigned char *ikey, void *params) 1118{ 1119 SLOGI("Using scrypt for cryptfs KDF"); 1120 1121 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1122 1123 int N = 1 << ftr->N_factor; 1124 int r = 1 << ftr->r_factor; 1125 int p = 1 << ftr->p_factor; 1126 1127 /* Turn the password into a key and IV that can decrypt the master key */ 1128 unsigned int keysize; 1129 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize); 1130 if (!master_key) return -1; 1131 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey, 1132 KEY_LEN_BYTES + IV_LEN_BYTES); 1133 1134 memset(master_key, 0, keysize); 1135 free (master_key); 1136 return 0; 1137} 1138 1139static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1140 unsigned char *ikey, void *params) 1141{ 1142 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1143 1144 int rc; 1145 unsigned int key_size; 1146 size_t signature_size; 1147 unsigned char* signature; 1148 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1149 1150 int N = 1 << ftr->N_factor; 1151 int r = 1 << ftr->r_factor; 1152 int p = 1 << ftr->p_factor; 1153 1154 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size); 1155 if (!master_key) { 1156 SLOGE("Failed to convert passwd from hex"); 1157 return -1; 1158 } 1159 1160 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN, 1161 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1162 memset(master_key, 0, key_size); 1163 free(master_key); 1164 1165 if (rc) { 1166 SLOGE("scrypt failed"); 1167 return -1; 1168 } 1169 1170 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1171 &signature, &signature_size)) { 1172 SLOGE("Signing failed"); 1173 return -1; 1174 } 1175 1176 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1177 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1178 free(signature); 1179 1180 if (rc) { 1181 SLOGE("scrypt failed"); 1182 return -1; 1183 } 1184 1185 return 0; 1186} 1187 1188static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1189 const unsigned char *decrypted_master_key, 1190 unsigned char *encrypted_master_key, 1191 struct crypt_mnt_ftr *crypt_ftr) 1192{ 1193 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1194 EVP_CIPHER_CTX e_ctx; 1195 int encrypted_len, final_len; 1196 int rc = 0; 1197 1198 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1199 get_device_scrypt_params(crypt_ftr); 1200 1201 switch (crypt_ftr->kdf_type) { 1202 case KDF_SCRYPT_KEYMASTER: 1203 if (keymaster_create_key(crypt_ftr)) { 1204 SLOGE("keymaster_create_key failed"); 1205 return -1; 1206 } 1207 1208 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1209 SLOGE("scrypt failed"); 1210 return -1; 1211 } 1212 break; 1213 1214 case KDF_SCRYPT: 1215 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1216 SLOGE("scrypt failed"); 1217 return -1; 1218 } 1219 break; 1220 1221 default: 1222 SLOGE("Invalid kdf_type"); 1223 return -1; 1224 } 1225 1226 /* Initialize the decryption engine */ 1227 if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) { 1228 SLOGE("EVP_EncryptInit failed\n"); 1229 return -1; 1230 } 1231 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1232 1233 /* Encrypt the master key */ 1234 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1235 decrypted_master_key, KEY_LEN_BYTES)) { 1236 SLOGE("EVP_EncryptUpdate failed\n"); 1237 return -1; 1238 } 1239 if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1240 SLOGE("EVP_EncryptFinal failed\n"); 1241 return -1; 1242 } 1243 1244 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1245 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1246 return -1; 1247 } 1248 1249 /* Store the scrypt of the intermediate key, so we can validate if it's a 1250 password error or mount error when things go wrong. 1251 Note there's no need to check for errors, since if this is incorrect, we 1252 simply won't wipe userdata, which is the correct default behavior 1253 */ 1254 int N = 1 << crypt_ftr->N_factor; 1255 int r = 1 << crypt_ftr->r_factor; 1256 int p = 1 << crypt_ftr->p_factor; 1257 1258 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1259 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1260 crypt_ftr->scrypted_intermediate_key, 1261 sizeof(crypt_ftr->scrypted_intermediate_key)); 1262 1263 if (rc) { 1264 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1265 } 1266 1267 return 0; 1268} 1269 1270static int decrypt_master_key_aux(char *passwd, unsigned char *salt, 1271 unsigned char *encrypted_master_key, 1272 unsigned char *decrypted_master_key, 1273 kdf_func kdf, void *kdf_params, 1274 unsigned char** intermediate_key, 1275 size_t* intermediate_key_size) 1276{ 1277 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1278 EVP_CIPHER_CTX d_ctx; 1279 int decrypted_len, final_len; 1280 1281 /* Turn the password into an intermediate key and IV that can decrypt the 1282 master key */ 1283 if (kdf(passwd, salt, ikey, kdf_params)) { 1284 SLOGE("kdf failed"); 1285 return -1; 1286 } 1287 1288 /* Initialize the decryption engine */ 1289 if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) { 1290 return -1; 1291 } 1292 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1293 /* Decrypt the master key */ 1294 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1295 encrypted_master_key, KEY_LEN_BYTES)) { 1296 return -1; 1297 } 1298 if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1299 return -1; 1300 } 1301 1302 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1303 return -1; 1304 } 1305 1306 /* Copy intermediate key if needed by params */ 1307 if (intermediate_key && intermediate_key_size) { 1308 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1309 if (intermediate_key) { 1310 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1311 *intermediate_key_size = KEY_LEN_BYTES; 1312 } 1313 } 1314 1315 return 0; 1316} 1317 1318static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1319{ 1320 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1321 *kdf = scrypt_keymaster; 1322 *kdf_params = ftr; 1323 } else if (ftr->kdf_type == KDF_SCRYPT) { 1324 *kdf = scrypt; 1325 *kdf_params = ftr; 1326 } else { 1327 *kdf = pbkdf2; 1328 *kdf_params = NULL; 1329 } 1330} 1331 1332static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key, 1333 struct crypt_mnt_ftr *crypt_ftr, 1334 unsigned char** intermediate_key, 1335 size_t* intermediate_key_size) 1336{ 1337 kdf_func kdf; 1338 void *kdf_params; 1339 int ret; 1340 1341 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1342 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1343 decrypted_master_key, kdf, kdf_params, 1344 intermediate_key, intermediate_key_size); 1345 if (ret != 0) { 1346 SLOGW("failure decrypting master key"); 1347 } 1348 1349 return ret; 1350} 1351 1352static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1353 struct crypt_mnt_ftr *crypt_ftr) { 1354 int fd; 1355 unsigned char key_buf[KEY_LEN_BYTES]; 1356 EVP_CIPHER_CTX e_ctx; 1357 int encrypted_len, final_len; 1358 1359 /* Get some random bits for a key */ 1360 fd = open("/dev/urandom", O_RDONLY); 1361 read(fd, key_buf, sizeof(key_buf)); 1362 read(fd, salt, SALT_LEN); 1363 close(fd); 1364 1365 /* Now encrypt it with the password */ 1366 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1367} 1368 1369static int wait_and_unmount(char *mountpoint) 1370{ 1371 int i, rc; 1372#define WAIT_UNMOUNT_COUNT 20 1373 1374 /* Now umount the tmpfs filesystem */ 1375 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1376 if (umount(mountpoint)) { 1377 if (errno == EINVAL) { 1378 /* EINVAL is returned if the directory is not a mountpoint, 1379 * i.e. there is no filesystem mounted there. So just get out. 1380 */ 1381 break; 1382 } 1383 sleep(1); 1384 i++; 1385 } else { 1386 break; 1387 } 1388 } 1389 1390 if (i < WAIT_UNMOUNT_COUNT) { 1391 SLOGD("unmounting %s succeeded\n", mountpoint); 1392 rc = 0; 1393 } else { 1394 SLOGE("unmounting %s failed\n", mountpoint); 1395 rc = -1; 1396 } 1397 1398 return rc; 1399} 1400 1401#define DATA_PREP_TIMEOUT 200 1402static int prep_data_fs(void) 1403{ 1404 int i; 1405 1406 /* Do the prep of the /data filesystem */ 1407 property_set("vold.post_fs_data_done", "0"); 1408 property_set("vold.decrypt", "trigger_post_fs_data"); 1409 SLOGD("Just triggered post_fs_data\n"); 1410 1411 /* Wait a max of 50 seconds, hopefully it takes much less */ 1412 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1413 char p[PROPERTY_VALUE_MAX]; 1414 1415 property_get("vold.post_fs_data_done", p, "0"); 1416 if (*p == '1') { 1417 break; 1418 } else { 1419 usleep(250000); 1420 } 1421 } 1422 if (i == DATA_PREP_TIMEOUT) { 1423 /* Ugh, we failed to prep /data in time. Bail. */ 1424 SLOGE("post_fs_data timed out!\n"); 1425 return -1; 1426 } else { 1427 SLOGD("post_fs_data done\n"); 1428 return 0; 1429 } 1430} 1431 1432static void cryptfs_set_corrupt() 1433{ 1434 // Mark the footer as bad 1435 struct crypt_mnt_ftr crypt_ftr; 1436 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1437 SLOGE("Failed to get crypto footer - panic"); 1438 return; 1439 } 1440 1441 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1442 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1443 SLOGE("Failed to set crypto footer - panic"); 1444 return; 1445 } 1446} 1447 1448static void cryptfs_trigger_restart_min_framework() 1449{ 1450 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1451 SLOGE("Failed to mount tmpfs on data - panic"); 1452 return; 1453 } 1454 1455 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1456 SLOGE("Failed to trigger post fs data - panic"); 1457 return; 1458 } 1459 1460 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1461 SLOGE("Failed to trigger restart min framework - panic"); 1462 return; 1463 } 1464} 1465 1466static int cryptfs_restart_internal(int restart_main) 1467{ 1468 char fs_type[32]; 1469 char real_blkdev[MAXPATHLEN]; 1470 char crypto_blkdev[MAXPATHLEN]; 1471 char fs_options[256]; 1472 unsigned long mnt_flags; 1473 struct stat statbuf; 1474 int rc = -1, i; 1475 static int restart_successful = 0; 1476 1477 /* Validate that it's OK to call this routine */ 1478 if (! master_key_saved) { 1479 SLOGE("Encrypted filesystem not validated, aborting"); 1480 return -1; 1481 } 1482 1483 if (restart_successful) { 1484 SLOGE("System already restarted with encrypted disk, aborting"); 1485 return -1; 1486 } 1487 1488 if (restart_main) { 1489 /* Here is where we shut down the framework. The init scripts 1490 * start all services in one of three classes: core, main or late_start. 1491 * On boot, we start core and main. Now, we stop main, but not core, 1492 * as core includes vold and a few other really important things that 1493 * we need to keep running. Once main has stopped, we should be able 1494 * to umount the tmpfs /data, then mount the encrypted /data. 1495 * We then restart the class main, and also the class late_start. 1496 * At the moment, I've only put a few things in late_start that I know 1497 * are not needed to bring up the framework, and that also cause problems 1498 * with unmounting the tmpfs /data, but I hope to add add more services 1499 * to the late_start class as we optimize this to decrease the delay 1500 * till the user is asked for the password to the filesystem. 1501 */ 1502 1503 /* The init files are setup to stop the class main when vold.decrypt is 1504 * set to trigger_reset_main. 1505 */ 1506 property_set("vold.decrypt", "trigger_reset_main"); 1507 SLOGD("Just asked init to shut down class main\n"); 1508 1509 /* Ugh, shutting down the framework is not synchronous, so until it 1510 * can be fixed, this horrible hack will wait a moment for it all to 1511 * shut down before proceeding. Without it, some devices cannot 1512 * restart the graphics services. 1513 */ 1514 sleep(2); 1515 } 1516 1517 /* Now that the framework is shutdown, we should be able to umount() 1518 * the tmpfs filesystem, and mount the real one. 1519 */ 1520 1521 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1522 if (strlen(crypto_blkdev) == 0) { 1523 SLOGE("fs_crypto_blkdev not set\n"); 1524 return -1; 1525 } 1526 1527 if (! (rc = wait_and_unmount(DATA_MNT_POINT)) ) { 1528 /* If ro.crypto.readonly is set to 1, mount the decrypted 1529 * filesystem readonly. This is used when /data is mounted by 1530 * recovery mode. 1531 */ 1532 char ro_prop[PROPERTY_VALUE_MAX]; 1533 property_get("ro.crypto.readonly", ro_prop, ""); 1534 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1535 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1536 rec->flags |= MS_RDONLY; 1537 } 1538 1539 /* If that succeeded, then mount the decrypted filesystem */ 1540 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, 0)) { 1541 SLOGE("Failed to mount decrypted data"); 1542 cryptfs_set_corrupt(); 1543 cryptfs_trigger_restart_min_framework(); 1544 SLOGI("Started framework to offer wipe"); 1545 return -1; 1546 } 1547 1548 property_set("vold.decrypt", "trigger_load_persist_props"); 1549 /* Create necessary paths on /data */ 1550 if (prep_data_fs()) { 1551 return -1; 1552 } 1553 1554 /* startup service classes main and late_start */ 1555 property_set("vold.decrypt", "trigger_restart_framework"); 1556 SLOGD("Just triggered restart_framework\n"); 1557 1558 /* Give it a few moments to get started */ 1559 sleep(1); 1560 } 1561 1562 if (rc == 0) { 1563 restart_successful = 1; 1564 } 1565 1566 return rc; 1567} 1568 1569int cryptfs_restart(void) 1570{ 1571 /* Call internal implementation forcing a restart of main service group */ 1572 return cryptfs_restart_internal(1); 1573} 1574 1575static int do_crypto_complete(char *mount_point UNUSED) 1576{ 1577 struct crypt_mnt_ftr crypt_ftr; 1578 char encrypted_state[PROPERTY_VALUE_MAX]; 1579 char key_loc[PROPERTY_VALUE_MAX]; 1580 1581 property_get("ro.crypto.state", encrypted_state, ""); 1582 if (strcmp(encrypted_state, "encrypted") ) { 1583 SLOGE("not running with encryption, aborting"); 1584 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1585 } 1586 1587 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1588 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1589 1590 /* 1591 * Only report this error if key_loc is a file and it exists. 1592 * If the device was never encrypted, and /data is not mountable for 1593 * some reason, returning 1 should prevent the UI from presenting the 1594 * a "enter password" screen, or worse, a "press button to wipe the 1595 * device" screen. 1596 */ 1597 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1598 SLOGE("master key file does not exist, aborting"); 1599 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1600 } else { 1601 SLOGE("Error getting crypt footer and key\n"); 1602 return CRYPTO_COMPLETE_BAD_METADATA; 1603 } 1604 } 1605 1606 // Test for possible error flags 1607 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1608 SLOGE("Encryption process is partway completed\n"); 1609 return CRYPTO_COMPLETE_PARTIAL; 1610 } 1611 1612 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1613 SLOGE("Encryption process was interrupted but cannot continue\n"); 1614 return CRYPTO_COMPLETE_INCONSISTENT; 1615 } 1616 1617 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1618 SLOGE("Encryption is successful but data is corrupt\n"); 1619 return CRYPTO_COMPLETE_CORRUPT; 1620 } 1621 1622 /* We passed the test! We shall diminish, and return to the west */ 1623 return CRYPTO_COMPLETE_ENCRYPTED; 1624} 1625 1626static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1627 char *passwd, char *mount_point, char *label) 1628{ 1629 /* Allocate enough space for a 256 bit key, but we may use less */ 1630 unsigned char decrypted_master_key[32]; 1631 char crypto_blkdev[MAXPATHLEN]; 1632 char real_blkdev[MAXPATHLEN]; 1633 char tmp_mount_point[64]; 1634 unsigned int orig_failed_decrypt_count; 1635 int rc; 1636 kdf_func kdf; 1637 void *kdf_params; 1638 int use_keymaster = 0; 1639 int upgrade = 0; 1640 unsigned char* intermediate_key = 0; 1641 size_t intermediate_key_size = 0; 1642 1643 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1644 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1645 1646 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1647 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1648 &intermediate_key, &intermediate_key_size)) { 1649 SLOGE("Failed to decrypt master key\n"); 1650 rc = -1; 1651 goto errout; 1652 } 1653 } 1654 1655 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1656 1657 // Create crypto block device - all (non fatal) code paths 1658 // need it 1659 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1660 real_blkdev, crypto_blkdev, label)) { 1661 SLOGE("Error creating decrypted block device\n"); 1662 rc = -1; 1663 goto errout; 1664 } 1665 1666 /* Work out if the problem is the password or the data */ 1667 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1668 scrypted_intermediate_key)]; 1669 int N = 1 << crypt_ftr->N_factor; 1670 int r = 1 << crypt_ftr->r_factor; 1671 int p = 1 << crypt_ftr->p_factor; 1672 1673 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1674 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1675 N, r, p, scrypted_intermediate_key, 1676 sizeof(scrypted_intermediate_key)); 1677 1678 // Does the key match the crypto footer? 1679 if (rc == 0 && memcmp(scrypted_intermediate_key, 1680 crypt_ftr->scrypted_intermediate_key, 1681 sizeof(scrypted_intermediate_key)) == 0) { 1682 SLOGI("Password matches"); 1683 rc = 0; 1684 } else { 1685 /* Try mounting the file system anyway, just in case the problem's with 1686 * the footer, not the key. */ 1687 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1688 mkdir(tmp_mount_point, 0755); 1689 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1690 SLOGE("Error temp mounting decrypted block device\n"); 1691 delete_crypto_blk_dev(label); 1692 1693 rc = ++crypt_ftr->failed_decrypt_count; 1694 put_crypt_ftr_and_key(crypt_ftr); 1695 } else { 1696 /* Success! */ 1697 SLOGI("Password did not match but decrypted drive mounted - continue"); 1698 umount(tmp_mount_point); 1699 rc = 0; 1700 } 1701 } 1702 1703 if (rc == 0) { 1704 crypt_ftr->failed_decrypt_count = 0; 1705 1706 /* Save the name of the crypto block device 1707 * so we can mount it when restarting the framework. */ 1708 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1709 1710 /* Also save a the master key so we can reencrypted the key 1711 * the key when we want to change the password on it. */ 1712 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1713 saved_mount_point = strdup(mount_point); 1714 master_key_saved = 1; 1715 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1716 rc = 0; 1717 1718 // Upgrade if we're not using the latest KDF. 1719 use_keymaster = keymaster_check_compatibility(); 1720 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1721 // Don't allow downgrade to KDF_SCRYPT 1722 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1723 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1724 upgrade = 1; 1725 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1726 crypt_ftr->kdf_type = KDF_SCRYPT; 1727 upgrade = 1; 1728 } 1729 1730 if (upgrade) { 1731 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1732 crypt_ftr->master_key, crypt_ftr); 1733 if (!rc) { 1734 rc = put_crypt_ftr_and_key(crypt_ftr); 1735 } 1736 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1737 } 1738 } 1739 1740 errout: 1741 if (intermediate_key) { 1742 memset(intermediate_key, 0, intermediate_key_size); 1743 free(intermediate_key); 1744 } 1745 return rc; 1746} 1747 1748/* Called by vold when it wants to undo the crypto mapping of a volume it 1749 * manages. This is usually in response to a factory reset, when we want 1750 * to undo the crypto mapping so the volume is formatted in the clear. 1751 */ 1752int cryptfs_revert_volume(const char *label) 1753{ 1754 return delete_crypto_blk_dev((char *)label); 1755} 1756 1757/* 1758 * Called by vold when it's asked to mount an encrypted, nonremovable volume. 1759 * Setup a dm-crypt mapping, use the saved master key from 1760 * setting up the /data mapping, and return the new device path. 1761 */ 1762int cryptfs_setup_volume(const char *label, int major, int minor, 1763 char *crypto_sys_path, unsigned int max_path, 1764 int *new_major, int *new_minor) 1765{ 1766 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN]; 1767 struct crypt_mnt_ftr sd_crypt_ftr; 1768 struct stat statbuf; 1769 int nr_sec, fd; 1770 1771 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor); 1772 1773 get_crypt_ftr_and_key(&sd_crypt_ftr); 1774 1775 /* Update the fs_size field to be the size of the volume */ 1776 fd = open(real_blkdev, O_RDONLY); 1777 nr_sec = get_blkdev_size(fd); 1778 close(fd); 1779 if (nr_sec == 0) { 1780 SLOGE("Cannot get size of volume %s\n", real_blkdev); 1781 return -1; 1782 } 1783 1784 sd_crypt_ftr.fs_size = nr_sec; 1785 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev, 1786 crypto_blkdev, label); 1787 1788 stat(crypto_blkdev, &statbuf); 1789 *new_major = MAJOR(statbuf.st_rdev); 1790 *new_minor = MINOR(statbuf.st_rdev); 1791 1792 /* Create path to sys entry for this block device */ 1793 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1); 1794 1795 return 0; 1796} 1797 1798int cryptfs_crypto_complete(void) 1799{ 1800 return do_crypto_complete("/data"); 1801} 1802 1803int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1804{ 1805 char encrypted_state[PROPERTY_VALUE_MAX]; 1806 property_get("ro.crypto.state", encrypted_state, ""); 1807 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1808 SLOGE("encrypted fs already validated or not running with encryption," 1809 " aborting"); 1810 return -1; 1811 } 1812 1813 if (get_crypt_ftr_and_key(crypt_ftr)) { 1814 SLOGE("Error getting crypt footer and key"); 1815 return -1; 1816 } 1817 1818 return 0; 1819} 1820 1821int cryptfs_check_passwd(char *passwd) 1822{ 1823 struct crypt_mnt_ftr crypt_ftr; 1824 int rc; 1825 1826 rc = check_unmounted_and_get_ftr(&crypt_ftr); 1827 if (rc) 1828 return rc; 1829 1830 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 1831 DATA_MNT_POINT, "userdata"); 1832 1833 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 1834 cryptfs_clear_password(); 1835 password = strdup(passwd); 1836 struct timespec now; 1837 clock_gettime(CLOCK_BOOTTIME, &now); 1838 password_expiry_time = now.tv_sec + password_max_age_seconds; 1839 } 1840 1841 return rc; 1842} 1843 1844int cryptfs_verify_passwd(char *passwd) 1845{ 1846 struct crypt_mnt_ftr crypt_ftr; 1847 /* Allocate enough space for a 256 bit key, but we may use less */ 1848 unsigned char decrypted_master_key[32]; 1849 char encrypted_state[PROPERTY_VALUE_MAX]; 1850 int rc; 1851 1852 property_get("ro.crypto.state", encrypted_state, ""); 1853 if (strcmp(encrypted_state, "encrypted") ) { 1854 SLOGE("device not encrypted, aborting"); 1855 return -2; 1856 } 1857 1858 if (!master_key_saved) { 1859 SLOGE("encrypted fs not yet mounted, aborting"); 1860 return -1; 1861 } 1862 1863 if (!saved_mount_point) { 1864 SLOGE("encrypted fs failed to save mount point, aborting"); 1865 return -1; 1866 } 1867 1868 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1869 SLOGE("Error getting crypt footer and key\n"); 1870 return -1; 1871 } 1872 1873 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 1874 /* If the device has no password, then just say the password is valid */ 1875 rc = 0; 1876 } else { 1877 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 1878 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 1879 /* They match, the password is correct */ 1880 rc = 0; 1881 } else { 1882 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 1883 sleep(1); 1884 rc = 1; 1885 } 1886 } 1887 1888 return rc; 1889} 1890 1891/* Initialize a crypt_mnt_ftr structure. The keysize is 1892 * defaulted to 16 bytes, and the filesystem size to 0. 1893 * Presumably, at a minimum, the caller will update the 1894 * filesystem size and crypto_type_name after calling this function. 1895 */ 1896static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 1897{ 1898 off64_t off; 1899 1900 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 1901 ftr->magic = CRYPT_MNT_MAGIC; 1902 ftr->major_version = CURRENT_MAJOR_VERSION; 1903 ftr->minor_version = CURRENT_MINOR_VERSION; 1904 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 1905 ftr->keysize = KEY_LEN_BYTES; 1906 1907 switch (keymaster_check_compatibility()) { 1908 case 1: 1909 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1910 break; 1911 1912 case 0: 1913 ftr->kdf_type = KDF_SCRYPT; 1914 break; 1915 1916 default: 1917 SLOGE("keymaster_check_compatibility failed"); 1918 return -1; 1919 } 1920 1921 get_device_scrypt_params(ftr); 1922 1923 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 1924 if (get_crypt_ftr_info(NULL, &off) == 0) { 1925 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 1926 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 1927 ftr->persist_data_size; 1928 } 1929 1930 return 0; 1931} 1932 1933static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 1934{ 1935 const char *args[10]; 1936 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 1937 int num_args; 1938 int status; 1939 int tmp; 1940 int rc = -1; 1941 1942 if (type == EXT4_FS) { 1943 args[0] = "/system/bin/make_ext4fs"; 1944 args[1] = "-a"; 1945 args[2] = "/data"; 1946 args[3] = "-l"; 1947 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 1948 args[4] = size_str; 1949 args[5] = crypto_blkdev; 1950 num_args = 6; 1951 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 1952 args[0], args[1], args[2], args[3], args[4], args[5]); 1953 } else if (type == F2FS_FS) { 1954 args[0] = "/system/bin/mkfs.f2fs"; 1955 args[1] = "-t"; 1956 args[2] = "-d1"; 1957 args[3] = crypto_blkdev; 1958 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 1959 args[4] = size_str; 1960 num_args = 5; 1961 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 1962 args[0], args[1], args[2], args[3], args[4]); 1963 } else { 1964 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 1965 return -1; 1966 } 1967 1968 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 1969 1970 if (tmp != 0) { 1971 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 1972 } else { 1973 if (WIFEXITED(status)) { 1974 if (WEXITSTATUS(status)) { 1975 SLOGE("Error creating filesystem on %s, exit status %d ", 1976 crypto_blkdev, WEXITSTATUS(status)); 1977 } else { 1978 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 1979 rc = 0; 1980 } 1981 } else { 1982 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 1983 } 1984 } 1985 1986 return rc; 1987} 1988 1989#define CRYPT_INPLACE_BUFSIZE 4096 1990#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 1991#define CRYPT_SECTOR_SIZE 512 1992 1993/* aligned 32K writes tends to make flash happy. 1994 * SD card association recommends it. 1995 */ 1996#define BLOCKS_AT_A_TIME 8 1997 1998struct encryptGroupsData 1999{ 2000 int realfd; 2001 int cryptofd; 2002 off64_t numblocks; 2003 off64_t one_pct, cur_pct, new_pct; 2004 off64_t blocks_already_done, tot_numblocks; 2005 off64_t used_blocks_already_done, tot_used_blocks; 2006 char* real_blkdev, * crypto_blkdev; 2007 int count; 2008 off64_t offset; 2009 char* buffer; 2010 off64_t last_written_sector; 2011 int completed; 2012 time_t time_started; 2013 int remaining_time; 2014}; 2015 2016static void update_progress(struct encryptGroupsData* data, int is_used) 2017{ 2018 data->blocks_already_done++; 2019 2020 if (is_used) { 2021 data->used_blocks_already_done++; 2022 } 2023 if (data->tot_used_blocks) { 2024 data->new_pct = data->used_blocks_already_done / data->one_pct; 2025 } else { 2026 data->new_pct = data->blocks_already_done / data->one_pct; 2027 } 2028 2029 if (data->new_pct > data->cur_pct) { 2030 char buf[8]; 2031 data->cur_pct = data->new_pct; 2032 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2033 property_set("vold.encrypt_progress", buf); 2034 SLOGI("Encrypted %" PRId64 " percent of drive", data->cur_pct); 2035 } 2036 2037 if (data->cur_pct >= 5) { 2038 double elapsed_time = difftime(time(NULL), data->time_started); 2039 off64_t remaining_blocks = data->tot_used_blocks 2040 - data->used_blocks_already_done; 2041 int remaining_time = (int)(elapsed_time * remaining_blocks 2042 / data->used_blocks_already_done); 2043 2044 // Change time only if not yet set, lower, or a lot higher for 2045 // best user experience 2046 if (data->remaining_time == -1 2047 || remaining_time < data->remaining_time 2048 || remaining_time > data->remaining_time + 60) { 2049 char buf[8]; 2050 snprintf(buf, sizeof(buf), "%d", remaining_time); 2051 property_set("vold.encrypt_time_remaining", buf); 2052 2053 SLOGI("Encrypted %" PRId64 " percent of drive, %d seconds to go", 2054 data->cur_pct, remaining_time); 2055 data->remaining_time = remaining_time; 2056 } 2057 } 2058} 2059 2060static int flush_outstanding_data(struct encryptGroupsData* data) 2061{ 2062 if (data->count == 0) { 2063 return 0; 2064 } 2065 2066 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2067 2068 if (pread64(data->realfd, data->buffer, 2069 info.block_size * data->count, data->offset) 2070 <= 0) { 2071 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2072 data->real_blkdev); 2073 return -1; 2074 } 2075 2076 if (pwrite64(data->cryptofd, data->buffer, 2077 info.block_size * data->count, data->offset) 2078 <= 0) { 2079 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2080 data->crypto_blkdev); 2081 return -1; 2082 } else { 2083 SLOGI("Encrypted %d blocks at sector %" PRId64, 2084 data->count, data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2085 } 2086 2087 data->count = 0; 2088 data->last_written_sector = (data->offset + data->count) 2089 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2090 return 0; 2091} 2092 2093static int encrypt_groups(struct encryptGroupsData* data) 2094{ 2095 unsigned int i; 2096 u8 *block_bitmap = 0; 2097 unsigned int block; 2098 off64_t ret; 2099 int rc = -1; 2100 2101 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2102 if (!data->buffer) { 2103 SLOGE("Failed to allocate crypto buffer"); 2104 goto errout; 2105 } 2106 2107 block_bitmap = malloc(info.block_size); 2108 if (!block_bitmap) { 2109 SLOGE("failed to allocate block bitmap"); 2110 goto errout; 2111 } 2112 2113 for (i = 0; i < aux_info.groups; ++i) { 2114 SLOGI("Encrypting group %d", i); 2115 2116 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2117 u32 block_count = min(info.blocks_per_group, 2118 aux_info.len_blocks - first_block); 2119 2120 off64_t offset = (u64)info.block_size 2121 * aux_info.bg_desc[i].bg_block_bitmap; 2122 2123 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2124 if (ret != (int)info.block_size) { 2125 SLOGE("failed to read all of block group bitmap %d", i); 2126 goto errout; 2127 } 2128 2129 offset = (u64)info.block_size * first_block; 2130 2131 data->count = 0; 2132 2133 for (block = 0; block < block_count; block++) { 2134 int used = bitmap_get_bit(block_bitmap, block); 2135 update_progress(data, used); 2136 if (used) { 2137 if (data->count == 0) { 2138 data->offset = offset; 2139 } 2140 data->count++; 2141 } else { 2142 if (flush_outstanding_data(data)) { 2143 goto errout; 2144 } 2145 } 2146 2147 offset += info.block_size; 2148 2149 /* Write data if we are aligned or buffer size reached */ 2150 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2151 || data->count == BLOCKS_AT_A_TIME) { 2152 if (flush_outstanding_data(data)) { 2153 goto errout; 2154 } 2155 } 2156 2157 if (!is_battery_ok_to_continue()) { 2158 SLOGE("Stopping encryption due to low battery"); 2159 rc = 0; 2160 goto errout; 2161 } 2162 2163 } 2164 if (flush_outstanding_data(data)) { 2165 goto errout; 2166 } 2167 } 2168 2169 data->completed = 1; 2170 rc = 0; 2171 2172errout: 2173 free(data->buffer); 2174 free(block_bitmap); 2175 return rc; 2176} 2177 2178static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2179 char *real_blkdev, 2180 off64_t size, 2181 off64_t *size_already_done, 2182 off64_t tot_size, 2183 off64_t previously_encrypted_upto) 2184{ 2185 u32 i; 2186 struct encryptGroupsData data; 2187 int rc; // Can't initialize without causing warning -Wclobbered 2188 2189 if (previously_encrypted_upto > *size_already_done) { 2190 SLOGD("Not fast encrypting since resuming part way through"); 2191 return -1; 2192 } 2193 2194 memset(&data, 0, sizeof(data)); 2195 data.real_blkdev = real_blkdev; 2196 data.crypto_blkdev = crypto_blkdev; 2197 2198 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) { 2199 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", 2200 real_blkdev); 2201 rc = -1; 2202 goto errout; 2203 } 2204 2205 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2206 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", 2207 crypto_blkdev); 2208 rc = -1; 2209 goto errout; 2210 } 2211 2212 if (setjmp(setjmp_env)) { 2213 SLOGE("Reading extent caused an exception"); 2214 rc = -1; 2215 goto errout; 2216 } 2217 2218 if (read_ext(data.realfd, 0) != 0) { 2219 SLOGE("Failed to read extent"); 2220 rc = -1; 2221 goto errout; 2222 } 2223 2224 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2225 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2226 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2227 2228 SLOGI("Encrypting filesystem in place..."); 2229 2230 data.tot_used_blocks = data.numblocks; 2231 for (i = 0; i < aux_info.groups; ++i) { 2232 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2233 } 2234 2235 data.one_pct = data.tot_used_blocks / 100; 2236 data.cur_pct = 0; 2237 data.time_started = time(NULL); 2238 data.remaining_time = -1; 2239 2240 rc = encrypt_groups(&data); 2241 if (rc) { 2242 SLOGE("Error encrypting groups"); 2243 goto errout; 2244 } 2245 2246 *size_already_done += data.completed ? size : data.last_written_sector; 2247 rc = 0; 2248 2249errout: 2250 close(data.realfd); 2251 close(data.cryptofd); 2252 2253 return rc; 2254} 2255 2256static int encrypt_one_block_f2fs(u64 pos, void *data) 2257{ 2258 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2259 2260 priv_dat->blocks_already_done = pos - 1; 2261 update_progress(priv_dat, 1); 2262 2263 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2264 2265 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2266 SLOGE("Error reading real_blkdev %s for inplace encrypt", priv_dat->crypto_blkdev); 2267 return -1; 2268 } 2269 2270 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2271 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", priv_dat->crypto_blkdev); 2272 return -1; 2273 } else { 2274 SLOGD("Encrypted block %"PRIu64, pos); 2275 } 2276 2277 return 0; 2278} 2279 2280static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2281 char *real_blkdev, 2282 off64_t size, 2283 off64_t *size_already_done, 2284 off64_t tot_size, 2285 off64_t previously_encrypted_upto) 2286{ 2287 u32 i; 2288 struct encryptGroupsData data; 2289 struct f2fs_info *f2fs_info = NULL; 2290 int rc = -1; 2291 if (previously_encrypted_upto > *size_already_done) { 2292 SLOGD("Not fast encrypting since resuming part way through"); 2293 return -1; 2294 } 2295 memset(&data, 0, sizeof(data)); 2296 data.real_blkdev = real_blkdev; 2297 data.crypto_blkdev = crypto_blkdev; 2298 data.realfd = -1; 2299 data.cryptofd = -1; 2300 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) { 2301 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", 2302 real_blkdev); 2303 goto errout; 2304 } 2305 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) { 2306 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", 2307 crypto_blkdev); 2308 goto errout; 2309 } 2310 2311 f2fs_info = generate_f2fs_info(data.realfd); 2312 if (!f2fs_info) 2313 goto errout; 2314 2315 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2316 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2317 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2318 2319 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2320 2321 data.one_pct = data.tot_used_blocks / 100; 2322 data.cur_pct = 0; 2323 data.time_started = time(NULL); 2324 data.remaining_time = -1; 2325 2326 data.buffer = malloc(f2fs_info->block_size); 2327 if (!data.buffer) { 2328 SLOGE("Failed to allocate crypto buffer"); 2329 goto errout; 2330 } 2331 2332 data.count = 0; 2333 2334 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2335 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2336 2337 if (rc) { 2338 SLOGE("Error in running over blocks"); 2339 goto errout; 2340 } 2341 2342 *size_already_done += size; 2343 rc = 0; 2344 2345errout: 2346 if (rc) 2347 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2348 2349 free(f2fs_info); 2350 free(data.buffer); 2351 close(data.realfd); 2352 close(data.cryptofd); 2353 2354 return rc; 2355} 2356 2357static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2358 off64_t size, off64_t *size_already_done, 2359 off64_t tot_size, 2360 off64_t previously_encrypted_upto) 2361{ 2362 int realfd, cryptofd; 2363 char *buf[CRYPT_INPLACE_BUFSIZE]; 2364 int rc = -1; 2365 off64_t numblocks, i, remainder; 2366 off64_t one_pct, cur_pct, new_pct; 2367 off64_t blocks_already_done, tot_numblocks; 2368 2369 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) { 2370 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2371 return -1; 2372 } 2373 2374 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2375 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", crypto_blkdev); 2376 close(realfd); 2377 return -1; 2378 } 2379 2380 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2381 * The size passed in is the number of 512 byte sectors in the filesystem. 2382 * So compute the number of whole 4K blocks we should read/write, 2383 * and the remainder. 2384 */ 2385 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2386 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2387 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2388 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2389 2390 SLOGE("Encrypting filesystem in place..."); 2391 2392 i = previously_encrypted_upto + 1 - *size_already_done; 2393 2394 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2395 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2396 goto errout; 2397 } 2398 2399 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2400 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2401 goto errout; 2402 } 2403 2404 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2405 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2406 SLOGE("Error reading initial sectors from real_blkdev %s for " 2407 "inplace encrypt\n", crypto_blkdev); 2408 goto errout; 2409 } 2410 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2411 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2412 "inplace encrypt\n", crypto_blkdev); 2413 goto errout; 2414 } else { 2415 SLOGI("Encrypted 1 block at %" PRId64, i); 2416 } 2417 } 2418 2419 one_pct = tot_numblocks / 100; 2420 cur_pct = 0; 2421 /* process the majority of the filesystem in blocks */ 2422 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2423 new_pct = (i + blocks_already_done) / one_pct; 2424 if (new_pct > cur_pct) { 2425 char buf[8]; 2426 2427 cur_pct = new_pct; 2428 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2429 property_set("vold.encrypt_progress", buf); 2430 } 2431 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2432 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2433 goto errout; 2434 } 2435 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2436 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2437 goto errout; 2438 } else { 2439 SLOGD("Encrypted %d block at %" PRId64, 2440 CRYPT_SECTORS_PER_BUFSIZE, 2441 i * CRYPT_SECTORS_PER_BUFSIZE); 2442 } 2443 2444 if (!is_battery_ok_to_continue()) { 2445 SLOGE("Stopping encryption due to low battery"); 2446 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2447 rc = 0; 2448 goto errout; 2449 } 2450 } 2451 2452 /* Do any remaining sectors */ 2453 for (i=0; i<remainder; i++) { 2454 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2455 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2456 goto errout; 2457 } 2458 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2459 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2460 goto errout; 2461 } else { 2462 SLOGI("Encrypted 1 block at next location"); 2463 } 2464 } 2465 2466 *size_already_done += size; 2467 rc = 0; 2468 2469errout: 2470 close(realfd); 2471 close(cryptofd); 2472 2473 return rc; 2474} 2475 2476static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2477 off64_t size, off64_t *size_already_done, 2478 off64_t tot_size, 2479 off64_t previously_encrypted_upto) 2480{ 2481 if (previously_encrypted_upto) { 2482 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2483 } 2484 2485 if (*size_already_done + size < previously_encrypted_upto) { 2486 *size_already_done += size; 2487 return 0; 2488 } 2489 2490 /* TODO: identify filesystem type. 2491 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2492 * then we will drop down to cryptfs_enable_inplace_f2fs. 2493 * */ 2494 if (cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2495 size, size_already_done, 2496 tot_size, previously_encrypted_upto) == 0) { 2497 return 0; 2498 } 2499 2500 if (cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2501 size, size_already_done, 2502 tot_size, previously_encrypted_upto) == 0) { 2503 return 0; 2504 } 2505 2506 return cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2507 size, size_already_done, tot_size, 2508 previously_encrypted_upto); 2509} 2510 2511#define CRYPTO_ENABLE_WIPE 1 2512#define CRYPTO_ENABLE_INPLACE 2 2513 2514#define FRAMEWORK_BOOT_WAIT 60 2515 2516static inline int should_encrypt(struct volume_info *volume) 2517{ 2518 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) == 2519 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE); 2520} 2521 2522static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2523{ 2524 int fd = open(filename, O_RDONLY); 2525 if (fd == -1) { 2526 SLOGE("Error opening file %s", filename); 2527 return -1; 2528 } 2529 2530 char block[CRYPT_INPLACE_BUFSIZE]; 2531 memset(block, 0, sizeof(block)); 2532 if (unix_read(fd, block, sizeof(block)) < 0) { 2533 SLOGE("Error reading file %s", filename); 2534 close(fd); 2535 return -1; 2536 } 2537 2538 close(fd); 2539 2540 SHA256_CTX c; 2541 SHA256_Init(&c); 2542 SHA256_Update(&c, block, sizeof(block)); 2543 SHA256_Final(buf, &c); 2544 2545 return 0; 2546} 2547 2548static int get_fs_type(struct fstab_rec *rec) 2549{ 2550 if (!strcmp(rec->fs_type, "ext4")) { 2551 return EXT4_FS; 2552 } else if (!strcmp(rec->fs_type, "f2fs")) { 2553 return F2FS_FS; 2554 } else { 2555 return -1; 2556 } 2557} 2558 2559static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2560 char *crypto_blkdev, char *real_blkdev, 2561 int previously_encrypted_upto) 2562{ 2563 off64_t cur_encryption_done=0, tot_encryption_size=0; 2564 int i, rc = -1; 2565 2566 if (!is_battery_ok_to_start()) { 2567 SLOGW("Not starting encryption due to low battery"); 2568 return 0; 2569 } 2570 2571 /* The size of the userdata partition, and add in the vold volumes below */ 2572 tot_encryption_size = crypt_ftr->fs_size; 2573 2574 if (how == CRYPTO_ENABLE_WIPE) { 2575 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2576 int fs_type = get_fs_type(rec); 2577 if (fs_type < 0) { 2578 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2579 return -1; 2580 } 2581 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2582 } else if (how == CRYPTO_ENABLE_INPLACE) { 2583 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2584 crypt_ftr->fs_size, &cur_encryption_done, 2585 tot_encryption_size, 2586 previously_encrypted_upto); 2587 2588 if (!rc) { 2589 crypt_ftr->encrypted_upto = cur_encryption_done; 2590 } 2591 2592 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2593 /* The inplace routine never actually sets the progress to 100% due 2594 * to the round down nature of integer division, so set it here */ 2595 property_set("vold.encrypt_progress", "100"); 2596 } 2597 } else { 2598 /* Shouldn't happen */ 2599 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2600 rc = -1; 2601 } 2602 2603 return rc; 2604} 2605 2606int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2607 int allow_reboot) 2608{ 2609 int how = 0; 2610 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2611 unsigned long nr_sec; 2612 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2613 int rc=-1, fd, i, ret; 2614 struct crypt_mnt_ftr crypt_ftr; 2615 struct crypt_persist_data *pdata; 2616 char encrypted_state[PROPERTY_VALUE_MAX]; 2617 char lockid[32] = { 0 }; 2618 char key_loc[PROPERTY_VALUE_MAX]; 2619 char fuse_sdcard[PROPERTY_VALUE_MAX]; 2620 char *sd_mnt_point; 2621 int num_vols; 2622 struct volume_info *vol_list = 0; 2623 off64_t previously_encrypted_upto = 0; 2624 2625 if (!strcmp(howarg, "wipe")) { 2626 how = CRYPTO_ENABLE_WIPE; 2627 } else if (! strcmp(howarg, "inplace")) { 2628 how = CRYPTO_ENABLE_INPLACE; 2629 } else { 2630 /* Shouldn't happen, as CommandListener vets the args */ 2631 goto error_unencrypted; 2632 } 2633 2634 /* See if an encryption was underway and interrupted */ 2635 if (how == CRYPTO_ENABLE_INPLACE 2636 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2637 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2638 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2639 crypt_ftr.encrypted_upto = 0; 2640 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2641 2642 /* At this point, we are in an inconsistent state. Until we successfully 2643 complete encryption, a reboot will leave us broken. So mark the 2644 encryption failed in case that happens. 2645 On successfully completing encryption, remove this flag */ 2646 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2647 2648 put_crypt_ftr_and_key(&crypt_ftr); 2649 } 2650 2651 property_get("ro.crypto.state", encrypted_state, ""); 2652 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2653 SLOGE("Device is already running encrypted, aborting"); 2654 goto error_unencrypted; 2655 } 2656 2657 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2658 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2659 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2660 2661 /* Get the size of the real block device */ 2662 fd = open(real_blkdev, O_RDONLY); 2663 if ( (nr_sec = get_blkdev_size(fd)) == 0) { 2664 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2665 goto error_unencrypted; 2666 } 2667 close(fd); 2668 2669 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2670 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2671 unsigned int fs_size_sec, max_fs_size_sec; 2672 fs_size_sec = get_fs_size(real_blkdev); 2673 if (fs_size_sec == 0) 2674 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2675 2676 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2677 2678 if (fs_size_sec > max_fs_size_sec) { 2679 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2680 goto error_unencrypted; 2681 } 2682 } 2683 2684 /* Get a wakelock as this may take a while, and we don't want the 2685 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2686 * wants to keep the screen on, it can grab a full wakelock. 2687 */ 2688 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2689 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2690 2691 /* Get the sdcard mount point */ 2692 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE"); 2693 if (!sd_mnt_point) { 2694 sd_mnt_point = getenv("EXTERNAL_STORAGE"); 2695 } 2696 if (!sd_mnt_point) { 2697 sd_mnt_point = "/mnt/sdcard"; 2698 } 2699 2700 /* TODO 2701 * Currently do not have test devices with multiple encryptable volumes. 2702 * When we acquire some, re-add support. 2703 */ 2704 num_vols=vold_getNumDirectVolumes(); 2705 vol_list = malloc(sizeof(struct volume_info) * num_vols); 2706 vold_getDirectVolumeList(vol_list); 2707 2708 for (i=0; i<num_vols; i++) { 2709 if (should_encrypt(&vol_list[i])) { 2710 SLOGE("Cannot encrypt if there are multiple encryptable volumes" 2711 "%s\n", vol_list[i].label); 2712 goto error_unencrypted; 2713 } 2714 } 2715 2716 /* The init files are setup to stop the class main and late start when 2717 * vold sets trigger_shutdown_framework. 2718 */ 2719 property_set("vold.decrypt", "trigger_shutdown_framework"); 2720 SLOGD("Just asked init to shut down class main\n"); 2721 2722 if (vold_unmountAllAsecs()) { 2723 /* Just report the error. If any are left mounted, 2724 * umounting /data below will fail and handle the error. 2725 */ 2726 SLOGE("Error unmounting internal asecs"); 2727 } 2728 2729 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, ""); 2730 if (!strcmp(fuse_sdcard, "true")) { 2731 /* This is a device using the fuse layer to emulate the sdcard semantics 2732 * on top of the userdata partition. vold does not manage it, it is managed 2733 * by the sdcard service. The sdcard service was killed by the property trigger 2734 * above, so just unmount it now. We must do this _AFTER_ killing the framework, 2735 * unlike the case for vold managed devices above. 2736 */ 2737 if (wait_and_unmount(sd_mnt_point)) { 2738 goto error_shutting_down; 2739 } 2740 } 2741 2742 /* Now unmount the /data partition. */ 2743 if (wait_and_unmount(DATA_MNT_POINT)) { 2744 if (allow_reboot) { 2745 goto error_shutting_down; 2746 } else { 2747 goto error_unencrypted; 2748 } 2749 } 2750 2751 /* Do extra work for a better UX when doing the long inplace encryption */ 2752 if (how == CRYPTO_ENABLE_INPLACE) { 2753 /* Now that /data is unmounted, we need to mount a tmpfs 2754 * /data, set a property saying we're doing inplace encryption, 2755 * and restart the framework. 2756 */ 2757 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 2758 goto error_shutting_down; 2759 } 2760 /* Tells the framework that inplace encryption is starting */ 2761 property_set("vold.encrypt_progress", "0"); 2762 2763 /* restart the framework. */ 2764 /* Create necessary paths on /data */ 2765 if (prep_data_fs()) { 2766 goto error_shutting_down; 2767 } 2768 2769 /* Ugh, shutting down the framework is not synchronous, so until it 2770 * can be fixed, this horrible hack will wait a moment for it all to 2771 * shut down before proceeding. Without it, some devices cannot 2772 * restart the graphics services. 2773 */ 2774 sleep(2); 2775 2776 /* startup service classes main and late_start */ 2777 property_set("vold.decrypt", "trigger_restart_min_framework"); 2778 SLOGD("Just triggered restart_min_framework\n"); 2779 2780 /* OK, the framework is restarted and will soon be showing a 2781 * progress bar. Time to setup an encrypted mapping, and 2782 * either write a new filesystem, or encrypt in place updating 2783 * the progress bar as we work. 2784 */ 2785 } 2786 2787 /* Start the actual work of making an encrypted filesystem */ 2788 /* Initialize a crypt_mnt_ftr for the partition */ 2789 if (previously_encrypted_upto == 0) { 2790 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 2791 goto error_shutting_down; 2792 } 2793 2794 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 2795 crypt_ftr.fs_size = nr_sec 2796 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2797 } else { 2798 crypt_ftr.fs_size = nr_sec; 2799 } 2800 /* At this point, we are in an inconsistent state. Until we successfully 2801 complete encryption, a reboot will leave us broken. So mark the 2802 encryption failed in case that happens. 2803 On successfully completing encryption, remove this flag */ 2804 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2805 crypt_ftr.crypt_type = crypt_type; 2806 strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256"); 2807 2808 /* Make an encrypted master key */ 2809 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 2810 SLOGE("Cannot create encrypted master key\n"); 2811 goto error_shutting_down; 2812 } 2813 2814 /* Write the key to the end of the partition */ 2815 put_crypt_ftr_and_key(&crypt_ftr); 2816 2817 /* If any persistent data has been remembered, save it. 2818 * If none, create a valid empty table and save that. 2819 */ 2820 if (!persist_data) { 2821 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 2822 if (pdata) { 2823 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 2824 persist_data = pdata; 2825 } 2826 } 2827 if (persist_data) { 2828 save_persistent_data(); 2829 } 2830 } 2831 2832 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2833 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 2834 "userdata"); 2835 2836 /* If we are continuing, check checksums match */ 2837 rc = 0; 2838 if (previously_encrypted_upto) { 2839 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 2840 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 2841 2842 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 2843 sizeof(hash_first_block)) != 0) { 2844 SLOGE("Checksums do not match - trigger wipe"); 2845 rc = -1; 2846 } 2847 } 2848 2849 if (!rc) { 2850 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 2851 crypto_blkdev, real_blkdev, 2852 previously_encrypted_upto); 2853 } 2854 2855 /* Calculate checksum if we are not finished */ 2856 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 2857 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 2858 crypt_ftr.hash_first_block); 2859 if (rc) { 2860 SLOGE("Error calculating checksum for continuing encryption"); 2861 rc = -1; 2862 } 2863 } 2864 2865 /* Undo the dm-crypt mapping whether we succeed or not */ 2866 delete_crypto_blk_dev("userdata"); 2867 2868 free(vol_list); 2869 2870 if (! rc) { 2871 /* Success */ 2872 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 2873 2874 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 2875 SLOGD("Encrypted up to sector %lld - will continue after reboot", 2876 crypt_ftr.encrypted_upto); 2877 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 2878 } 2879 2880 put_crypt_ftr_and_key(&crypt_ftr); 2881 2882 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 2883 char value[PROPERTY_VALUE_MAX]; 2884 property_get("ro.crypto.state", value, ""); 2885 if (!strcmp(value, "")) { 2886 /* default encryption - continue first boot sequence */ 2887 property_set("ro.crypto.state", "encrypted"); 2888 release_wake_lock(lockid); 2889 cryptfs_check_passwd(DEFAULT_PASSWORD); 2890 cryptfs_restart_internal(1); 2891 return 0; 2892 } else { 2893 sleep(2); /* Give the UI a chance to show 100% progress */ 2894 cryptfs_reboot(reboot); 2895 } 2896 } else { 2897 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 2898 cryptfs_reboot(shutdown); 2899 } 2900 } else { 2901 char value[PROPERTY_VALUE_MAX]; 2902 2903 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 2904 if (!strcmp(value, "1")) { 2905 /* wipe data if encryption failed */ 2906 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 2907 mkdir("/cache/recovery", 0700); 2908 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600); 2909 if (fd >= 0) { 2910 write(fd, "--wipe_data", strlen("--wipe_data") + 1); 2911 close(fd); 2912 } else { 2913 SLOGE("could not open /cache/recovery/command\n"); 2914 } 2915 cryptfs_reboot(recovery); 2916 } else { 2917 /* set property to trigger dialog */ 2918 property_set("vold.encrypt_progress", "error_partially_encrypted"); 2919 release_wake_lock(lockid); 2920 } 2921 return -1; 2922 } 2923 2924 /* hrm, the encrypt step claims success, but the reboot failed. 2925 * This should not happen. 2926 * Set the property and return. Hope the framework can deal with it. 2927 */ 2928 property_set("vold.encrypt_progress", "error_reboot_failed"); 2929 release_wake_lock(lockid); 2930 return rc; 2931 2932error_unencrypted: 2933 free(vol_list); 2934 property_set("vold.encrypt_progress", "error_not_encrypted"); 2935 if (lockid[0]) { 2936 release_wake_lock(lockid); 2937 } 2938 return -1; 2939 2940error_shutting_down: 2941 /* we failed, and have not encrypted anthing, so the users's data is still intact, 2942 * but the framework is stopped and not restarted to show the error, so it's up to 2943 * vold to restart the system. 2944 */ 2945 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 2946 cryptfs_reboot(reboot); 2947 2948 /* shouldn't get here */ 2949 property_set("vold.encrypt_progress", "error_shutting_down"); 2950 free(vol_list); 2951 if (lockid[0]) { 2952 release_wake_lock(lockid); 2953 } 2954 return -1; 2955} 2956 2957int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 2958{ 2959 return cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 2960} 2961 2962int cryptfs_enable_default(char *howarg, int allow_reboot) 2963{ 2964 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 2965 DEFAULT_PASSWORD, allow_reboot); 2966} 2967 2968int cryptfs_changepw(int crypt_type, const char *newpw) 2969{ 2970 struct crypt_mnt_ftr crypt_ftr; 2971 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2972 2973 /* This is only allowed after we've successfully decrypted the master key */ 2974 if (!master_key_saved) { 2975 SLOGE("Key not saved, aborting"); 2976 return -1; 2977 } 2978 2979 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 2980 SLOGE("Invalid crypt_type %d", crypt_type); 2981 return -1; 2982 } 2983 2984 /* get key */ 2985 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2986 SLOGE("Error getting crypt footer and key"); 2987 return -1; 2988 } 2989 2990 crypt_ftr.crypt_type = crypt_type; 2991 2992 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 2993 : newpw, 2994 crypt_ftr.salt, 2995 saved_master_key, 2996 crypt_ftr.master_key, 2997 &crypt_ftr); 2998 2999 /* save the key */ 3000 put_crypt_ftr_and_key(&crypt_ftr); 3001 3002 return 0; 3003} 3004 3005static int persist_get_key(char *fieldname, char *value) 3006{ 3007 unsigned int i; 3008 3009 if (persist_data == NULL) { 3010 return -1; 3011 } 3012 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3013 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3014 /* We found it! */ 3015 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3016 return 0; 3017 } 3018 } 3019 3020 return -1; 3021} 3022 3023static int persist_set_key(char *fieldname, char *value, int encrypted) 3024{ 3025 unsigned int i; 3026 unsigned int num; 3027 struct crypt_mnt_ftr crypt_ftr; 3028 unsigned int max_persistent_entries; 3029 unsigned int dsize; 3030 3031 if (persist_data == NULL) { 3032 return -1; 3033 } 3034 3035 /* If encrypted, use the values from the crypt_ftr, otherwise 3036 * use the values for the current spec. 3037 */ 3038 if (encrypted) { 3039 if(get_crypt_ftr_and_key(&crypt_ftr)) { 3040 return -1; 3041 } 3042 dsize = crypt_ftr.persist_data_size; 3043 } else { 3044 dsize = CRYPT_PERSIST_DATA_SIZE; 3045 } 3046 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3047 sizeof(struct crypt_persist_entry); 3048 3049 num = persist_data->persist_valid_entries; 3050 3051 for (i = 0; i < num; i++) { 3052 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3053 /* We found an existing entry, update it! */ 3054 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3055 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3056 return 0; 3057 } 3058 } 3059 3060 /* We didn't find it, add it to the end, if there is room */ 3061 if (persist_data->persist_valid_entries < max_persistent_entries) { 3062 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3063 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3064 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3065 persist_data->persist_valid_entries++; 3066 return 0; 3067 } 3068 3069 return -1; 3070} 3071 3072/* Return the value of the specified field. */ 3073int cryptfs_getfield(char *fieldname, char *value, int len) 3074{ 3075 char temp_value[PROPERTY_VALUE_MAX]; 3076 char real_blkdev[MAXPATHLEN]; 3077 /* 0 is success, 1 is not encrypted, 3078 * -1 is value not set, -2 is any other error 3079 */ 3080 int rc = -2; 3081 3082 if (persist_data == NULL) { 3083 load_persistent_data(); 3084 if (persist_data == NULL) { 3085 SLOGE("Getfield error, cannot load persistent data"); 3086 goto out; 3087 } 3088 } 3089 3090 if (!persist_get_key(fieldname, temp_value)) { 3091 /* We found it, copy it to the caller's buffer and return */ 3092 strlcpy(value, temp_value, len); 3093 rc = 0; 3094 } else { 3095 /* Sadness, it's not there. Return the error */ 3096 rc = -1; 3097 } 3098 3099out: 3100 return rc; 3101} 3102 3103/* Set the value of the specified field. */ 3104int cryptfs_setfield(char *fieldname, char *value) 3105{ 3106 struct crypt_persist_data stored_pdata; 3107 struct crypt_persist_data *pdata_p; 3108 struct crypt_mnt_ftr crypt_ftr; 3109 char encrypted_state[PROPERTY_VALUE_MAX]; 3110 /* 0 is success, -1 is an error */ 3111 int rc = -1; 3112 int encrypted = 0; 3113 3114 if (persist_data == NULL) { 3115 load_persistent_data(); 3116 if (persist_data == NULL) { 3117 SLOGE("Setfield error, cannot load persistent data"); 3118 goto out; 3119 } 3120 } 3121 3122 property_get("ro.crypto.state", encrypted_state, ""); 3123 if (!strcmp(encrypted_state, "encrypted") ) { 3124 encrypted = 1; 3125 } 3126 3127 if (persist_set_key(fieldname, value, encrypted)) { 3128 goto out; 3129 } 3130 3131 /* If we are running encrypted, save the persistent data now */ 3132 if (encrypted) { 3133 if (save_persistent_data()) { 3134 SLOGE("Setfield error, cannot save persistent data"); 3135 goto out; 3136 } 3137 } 3138 3139 rc = 0; 3140 3141out: 3142 return rc; 3143} 3144 3145/* Checks userdata. Attempt to mount the volume if default- 3146 * encrypted. 3147 * On success trigger next init phase and return 0. 3148 * Currently do not handle failure - see TODO below. 3149 */ 3150int cryptfs_mount_default_encrypted(void) 3151{ 3152 char decrypt_state[PROPERTY_VALUE_MAX]; 3153 property_get("vold.decrypt", decrypt_state, "0"); 3154 if (!strcmp(decrypt_state, "0")) { 3155 SLOGE("Not encrypted - should not call here"); 3156 } else { 3157 int crypt_type = cryptfs_get_password_type(); 3158 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3159 SLOGE("Bad crypt type - error"); 3160 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3161 SLOGD("Password is not default - " 3162 "starting min framework to prompt"); 3163 property_set("vold.decrypt", "trigger_restart_min_framework"); 3164 return 0; 3165 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3166 SLOGD("Password is default - restarting filesystem"); 3167 cryptfs_restart_internal(0); 3168 return 0; 3169 } else { 3170 SLOGE("Encrypted, default crypt type but can't decrypt"); 3171 } 3172 } 3173 3174 /** Corrupt. Allow us to boot into framework, which will detect bad 3175 crypto when it calls do_crypto_complete, then do a factory reset 3176 */ 3177 property_set("vold.decrypt", "trigger_restart_min_framework"); 3178 return 0; 3179} 3180 3181/* Returns type of the password, default, pattern, pin or password. 3182 */ 3183int cryptfs_get_password_type(void) 3184{ 3185 struct crypt_mnt_ftr crypt_ftr; 3186 3187 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3188 SLOGE("Error getting crypt footer and key\n"); 3189 return -1; 3190 } 3191 3192 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3193 return -1; 3194 } 3195 3196 return crypt_ftr.crypt_type; 3197} 3198 3199char* cryptfs_get_password() 3200{ 3201 struct timespec now; 3202 clock_gettime(CLOCK_MONOTONIC, &now); 3203 if (now.tv_sec < password_expiry_time) { 3204 return password; 3205 } else { 3206 cryptfs_clear_password(); 3207 return 0; 3208 } 3209} 3210 3211void cryptfs_clear_password() 3212{ 3213 if (password) { 3214 size_t len = strlen(password); 3215 memset(password, 0, len); 3216 free(password); 3217 password = 0; 3218 password_expiry_time = 0; 3219 } 3220} 3221