cryptfs.c revision 84f2515008539e82a6f6ad3c882d914da140ab13
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <errno.h> 40#include <ext4.h> 41#include <linux/kdev_t.h> 42#include <fs_mgr.h> 43#include <time.h> 44#include <math.h> 45#include "cryptfs.h" 46#define LOG_TAG "Cryptfs" 47#include "cutils/log.h" 48#include "cutils/properties.h" 49#include "cutils/android_reboot.h" 50#include "hardware_legacy/power.h" 51#include <logwrap/logwrap.h> 52#include "VolumeManager.h" 53#include "VoldUtil.h" 54#include "crypto_scrypt.h" 55#include "ext4_utils.h" 56#include "f2fs_sparseblock.h" 57#include "CheckBattery.h" 58#include "Process.h" 59 60#include <hardware/keymaster.h> 61 62#define UNUSED __attribute__((unused)) 63 64#define UNUSED __attribute__((unused)) 65 66#define DM_CRYPT_BUF_SIZE 4096 67 68#define HASH_COUNT 2000 69#define KEY_LEN_BYTES 16 70#define IV_LEN_BYTES 16 71 72#define KEY_IN_FOOTER "footer" 73 74// "default_password" encoded into hex (d=0x64 etc) 75#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264" 76 77#define EXT4_FS 1 78#define F2FS_FS 2 79 80#define TABLE_LOAD_RETRIES 10 81 82#define RSA_KEY_SIZE 2048 83#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 84#define RSA_EXPONENT 0x10001 85 86#define RETRY_MOUNT_ATTEMPTS 10 87#define RETRY_MOUNT_DELAY_SECONDS 1 88 89char *me = "cryptfs"; 90 91static unsigned char saved_master_key[KEY_LEN_BYTES]; 92static char *saved_mount_point; 93static int master_key_saved = 0; 94static struct crypt_persist_data *persist_data = NULL; 95 96static int keymaster_init(keymaster_device_t **keymaster_dev) 97{ 98 int rc; 99 100 const hw_module_t* mod; 101 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 102 if (rc) { 103 ALOGE("could not find any keystore module"); 104 goto out; 105 } 106 107 rc = keymaster_open(mod, keymaster_dev); 108 if (rc) { 109 ALOGE("could not open keymaster device in %s (%s)", 110 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 111 goto out; 112 } 113 114 return 0; 115 116out: 117 *keymaster_dev = NULL; 118 return rc; 119} 120 121/* Should we use keymaster? */ 122static int keymaster_check_compatibility() 123{ 124 keymaster_device_t *keymaster_dev = 0; 125 int rc = 0; 126 127 if (keymaster_init(&keymaster_dev)) { 128 SLOGE("Failed to init keymaster"); 129 rc = -1; 130 goto out; 131 } 132 133 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version); 134 135 if (keymaster_dev->common.module->module_api_version 136 < KEYMASTER_MODULE_API_VERSION_0_3) { 137 rc = 0; 138 goto out; 139 } 140 141 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) { 142 rc = 1; 143 } 144 145out: 146 keymaster_close(keymaster_dev); 147 return rc; 148} 149 150/* Create a new keymaster key and store it in this footer */ 151static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 152{ 153 uint8_t* key = 0; 154 keymaster_device_t *keymaster_dev = 0; 155 156 if (keymaster_init(&keymaster_dev)) { 157 SLOGE("Failed to init keymaster"); 158 return -1; 159 } 160 161 int rc = 0; 162 163 keymaster_rsa_keygen_params_t params; 164 memset(¶ms, '\0', sizeof(params)); 165 params.public_exponent = RSA_EXPONENT; 166 params.modulus_size = RSA_KEY_SIZE; 167 168 size_t key_size; 169 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms, 170 &key, &key_size)) { 171 SLOGE("Failed to generate keypair"); 172 rc = -1; 173 goto out; 174 } 175 176 if (key_size > KEYMASTER_BLOB_SIZE) { 177 SLOGE("Keymaster key too large for crypto footer"); 178 rc = -1; 179 goto out; 180 } 181 182 memcpy(ftr->keymaster_blob, key, key_size); 183 ftr->keymaster_blob_size = key_size; 184 185out: 186 keymaster_close(keymaster_dev); 187 free(key); 188 return rc; 189} 190 191/* This signs the given object using the keymaster key. */ 192static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 193 const unsigned char *object, 194 const size_t object_size, 195 unsigned char **signature, 196 size_t *signature_size) 197{ 198 int rc = 0; 199 keymaster_device_t *keymaster_dev = 0; 200 if (keymaster_init(&keymaster_dev)) { 201 SLOGE("Failed to init keymaster"); 202 return -1; 203 } 204 205 /* We currently set the digest type to DIGEST_NONE because it's the 206 * only supported value for keymaster. A similar issue exists with 207 * PADDING_NONE. Long term both of these should likely change. 208 */ 209 keymaster_rsa_sign_params_t params; 210 params.digest_type = DIGEST_NONE; 211 params.padding_type = PADDING_NONE; 212 213 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 214 size_t to_sign_size = sizeof(to_sign); 215 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 216 217 // To sign a message with RSA, the message must satisfy two 218 // constraints: 219 // 220 // 1. The message, when interpreted as a big-endian numeric value, must 221 // be strictly less than the public modulus of the RSA key. Note 222 // that because the most significant bit of the public modulus is 223 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 224 // key), an n-bit message with most significant bit 0 always 225 // satisfies this requirement. 226 // 227 // 2. The message must have the same length in bits as the public 228 // modulus of the RSA key. This requirement isn't mathematically 229 // necessary, but is necessary to ensure consistency in 230 // implementations. 231 switch (ftr->kdf_type) { 232 case KDF_SCRYPT_KEYMASTER_UNPADDED: 233 // This is broken: It produces a message which is shorter than 234 // the public modulus, failing criterion 2. 235 memcpy(to_sign, object, object_size); 236 to_sign_size = object_size; 237 SLOGI("Signing unpadded object"); 238 break; 239 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 240 // This is broken: Since the value of object is uniformly 241 // distributed, it produces a message that is larger than the 242 // public modulus with probability 0.25. 243 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size)); 244 SLOGI("Signing end-padded object"); 245 break; 246 case KDF_SCRYPT_KEYMASTER: 247 // This ensures the most significant byte of the signed message 248 // is zero. We could have zero-padded to the left instead, but 249 // this approach is slightly more robust against changes in 250 // object size. However, it's still broken (but not unusably 251 // so) because we really should be using a proper RSA padding 252 // function, such as OAEP. 253 // 254 // TODO(paullawrence): When keymaster 0.4 is available, change 255 // this to use the padding options it provides. 256 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 257 SLOGI("Signing safely-padded object"); 258 break; 259 default: 260 SLOGE("Unknown KDF type %d", ftr->kdf_type); 261 return -1; 262 } 263 264 rc = keymaster_dev->sign_data(keymaster_dev, 265 ¶ms, 266 ftr->keymaster_blob, 267 ftr->keymaster_blob_size, 268 to_sign, 269 to_sign_size, 270 signature, 271 signature_size); 272 273 keymaster_close(keymaster_dev); 274 return rc; 275} 276 277/* Store password when userdata is successfully decrypted and mounted. 278 * Cleared by cryptfs_clear_password 279 * 280 * To avoid a double prompt at boot, we need to store the CryptKeeper 281 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 282 * Since the entire framework is torn down and rebuilt after encryption, 283 * we have to use a daemon or similar to store the password. Since vold 284 * is secured against IPC except from system processes, it seems a reasonable 285 * place to store this. 286 * 287 * password should be cleared once it has been used. 288 * 289 * password is aged out after password_max_age_seconds seconds. 290 */ 291static char* password = 0; 292static int password_expiry_time = 0; 293static const int password_max_age_seconds = 60; 294 295extern struct fstab *fstab; 296 297enum RebootType {reboot, recovery, shutdown}; 298static void cryptfs_reboot(enum RebootType rt) 299{ 300 switch(rt) { 301 case reboot: 302 property_set(ANDROID_RB_PROPERTY, "reboot"); 303 break; 304 305 case recovery: 306 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 307 break; 308 309 case shutdown: 310 property_set(ANDROID_RB_PROPERTY, "shutdown"); 311 break; 312 } 313 314 sleep(20); 315 316 /* Shouldn't get here, reboot should happen before sleep times out */ 317 return; 318} 319 320static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 321{ 322 memset(io, 0, dataSize); 323 io->data_size = dataSize; 324 io->data_start = sizeof(struct dm_ioctl); 325 io->version[0] = 4; 326 io->version[1] = 0; 327 io->version[2] = 0; 328 io->flags = flags; 329 if (name) { 330 strncpy(io->name, name, sizeof(io->name)); 331 } 332} 333 334/** 335 * Gets the default device scrypt parameters for key derivation time tuning. 336 * The parameters should lead to about one second derivation time for the 337 * given device. 338 */ 339static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 340 const int default_params[] = SCRYPT_DEFAULTS; 341 int params[] = SCRYPT_DEFAULTS; 342 char paramstr[PROPERTY_VALUE_MAX]; 343 char *token; 344 char *saveptr; 345 int i; 346 347 property_get(SCRYPT_PROP, paramstr, ""); 348 if (paramstr[0] != '\0') { 349 /* 350 * The token we're looking for should be three integers separated by 351 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 352 */ 353 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 354 token != NULL && i < 3; 355 i++, token = strtok_r(NULL, ":", &saveptr)) { 356 char *endptr; 357 params[i] = strtol(token, &endptr, 10); 358 359 /* 360 * Check that there was a valid number and it's 8-bit. If not, 361 * break out and the end check will take the default values. 362 */ 363 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 364 break; 365 } 366 } 367 368 /* 369 * If there were not enough tokens or a token was malformed (not an 370 * integer), it will end up here and the default parameters can be 371 * taken. 372 */ 373 if ((i != 3) || (token != NULL)) { 374 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 375 memcpy(params, default_params, sizeof(params)); 376 } 377 } 378 379 ftr->N_factor = params[0]; 380 ftr->r_factor = params[1]; 381 ftr->p_factor = params[2]; 382} 383 384static unsigned int get_fs_size(char *dev) 385{ 386 int fd, block_size; 387 struct ext4_super_block sb; 388 off64_t len; 389 390 if ((fd = open(dev, O_RDONLY)) < 0) { 391 SLOGE("Cannot open device to get filesystem size "); 392 return 0; 393 } 394 395 if (lseek64(fd, 1024, SEEK_SET) < 0) { 396 SLOGE("Cannot seek to superblock"); 397 return 0; 398 } 399 400 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 401 SLOGE("Cannot read superblock"); 402 return 0; 403 } 404 405 close(fd); 406 407 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 408 SLOGE("Not a valid ext4 superblock"); 409 return 0; 410 } 411 block_size = 1024 << sb.s_log_block_size; 412 /* compute length in bytes */ 413 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 414 415 /* return length in sectors */ 416 return (unsigned int) (len / 512); 417} 418 419static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 420{ 421 static int cached_data = 0; 422 static off64_t cached_off = 0; 423 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 424 int fd; 425 char key_loc[PROPERTY_VALUE_MAX]; 426 char real_blkdev[PROPERTY_VALUE_MAX]; 427 unsigned int nr_sec; 428 int rc = -1; 429 430 if (!cached_data) { 431 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 432 433 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 434 if ( (fd = open(real_blkdev, O_RDWR)) < 0) { 435 SLOGE("Cannot open real block device %s\n", real_blkdev); 436 return -1; 437 } 438 439 if ((nr_sec = get_blkdev_size(fd))) { 440 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 441 * encryption info footer and key, and plenty of bytes to spare for future 442 * growth. 443 */ 444 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 445 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 446 cached_data = 1; 447 } else { 448 SLOGE("Cannot get size of block device %s\n", real_blkdev); 449 } 450 close(fd); 451 } else { 452 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 453 cached_off = 0; 454 cached_data = 1; 455 } 456 } 457 458 if (cached_data) { 459 if (metadata_fname) { 460 *metadata_fname = cached_metadata_fname; 461 } 462 if (off) { 463 *off = cached_off; 464 } 465 rc = 0; 466 } 467 468 return rc; 469} 470 471/* key or salt can be NULL, in which case just skip writing that value. Useful to 472 * update the failed mount count but not change the key. 473 */ 474static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 475{ 476 int fd; 477 unsigned int nr_sec, cnt; 478 /* starting_off is set to the SEEK_SET offset 479 * where the crypto structure starts 480 */ 481 off64_t starting_off; 482 int rc = -1; 483 char *fname = NULL; 484 struct stat statbuf; 485 486 if (get_crypt_ftr_info(&fname, &starting_off)) { 487 SLOGE("Unable to get crypt_ftr_info\n"); 488 return -1; 489 } 490 if (fname[0] != '/') { 491 SLOGE("Unexpected value for crypto key location\n"); 492 return -1; 493 } 494 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) { 495 SLOGE("Cannot open footer file %s for put\n", fname); 496 return -1; 497 } 498 499 /* Seek to the start of the crypt footer */ 500 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 501 SLOGE("Cannot seek to real block device footer\n"); 502 goto errout; 503 } 504 505 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 506 SLOGE("Cannot write real block device footer\n"); 507 goto errout; 508 } 509 510 fstat(fd, &statbuf); 511 /* If the keys are kept on a raw block device, do not try to truncate it. */ 512 if (S_ISREG(statbuf.st_mode)) { 513 if (ftruncate(fd, 0x4000)) { 514 SLOGE("Cannot set footer file size\n"); 515 goto errout; 516 } 517 } 518 519 /* Success! */ 520 rc = 0; 521 522errout: 523 close(fd); 524 return rc; 525 526} 527 528static inline int unix_read(int fd, void* buff, int len) 529{ 530 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 531} 532 533static inline int unix_write(int fd, const void* buff, int len) 534{ 535 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 536} 537 538static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 539{ 540 memset(pdata, 0, len); 541 pdata->persist_magic = PERSIST_DATA_MAGIC; 542 pdata->persist_valid_entries = 0; 543} 544 545/* A routine to update the passed in crypt_ftr to the lastest version. 546 * fd is open read/write on the device that holds the crypto footer and persistent 547 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 548 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 549 */ 550static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 551{ 552 int orig_major = crypt_ftr->major_version; 553 int orig_minor = crypt_ftr->minor_version; 554 555 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 556 struct crypt_persist_data *pdata; 557 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 558 559 SLOGW("upgrading crypto footer to 1.1"); 560 561 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 562 if (pdata == NULL) { 563 SLOGE("Cannot allocate persisent data\n"); 564 return; 565 } 566 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 567 568 /* Need to initialize the persistent data area */ 569 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 570 SLOGE("Cannot seek to persisent data offset\n"); 571 return; 572 } 573 /* Write all zeros to the first copy, making it invalid */ 574 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 575 576 /* Write a valid but empty structure to the second copy */ 577 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 578 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 579 580 /* Update the footer */ 581 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 582 crypt_ftr->persist_data_offset[0] = pdata_offset; 583 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 584 crypt_ftr->minor_version = 1; 585 } 586 587 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 588 SLOGW("upgrading crypto footer to 1.2"); 589 /* But keep the old kdf_type. 590 * It will get updated later to KDF_SCRYPT after the password has been verified. 591 */ 592 crypt_ftr->kdf_type = KDF_PBKDF2; 593 get_device_scrypt_params(crypt_ftr); 594 crypt_ftr->minor_version = 2; 595 } 596 597 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 598 SLOGW("upgrading crypto footer to 1.3"); 599 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 600 crypt_ftr->minor_version = 3; 601 } 602 603 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 604 if (lseek64(fd, offset, SEEK_SET) == -1) { 605 SLOGE("Cannot seek to crypt footer\n"); 606 return; 607 } 608 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 609 } 610} 611 612 613static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 614{ 615 int fd; 616 unsigned int nr_sec, cnt; 617 off64_t starting_off; 618 int rc = -1; 619 char *fname = NULL; 620 struct stat statbuf; 621 622 if (get_crypt_ftr_info(&fname, &starting_off)) { 623 SLOGE("Unable to get crypt_ftr_info\n"); 624 return -1; 625 } 626 if (fname[0] != '/') { 627 SLOGE("Unexpected value for crypto key location\n"); 628 return -1; 629 } 630 if ( (fd = open(fname, O_RDWR)) < 0) { 631 SLOGE("Cannot open footer file %s for get\n", fname); 632 return -1; 633 } 634 635 /* Make sure it's 16 Kbytes in length */ 636 fstat(fd, &statbuf); 637 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 638 SLOGE("footer file %s is not the expected size!\n", fname); 639 goto errout; 640 } 641 642 /* Seek to the start of the crypt footer */ 643 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 644 SLOGE("Cannot seek to real block device footer\n"); 645 goto errout; 646 } 647 648 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 649 SLOGE("Cannot read real block device footer\n"); 650 goto errout; 651 } 652 653 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 654 SLOGE("Bad magic for real block device %s\n", fname); 655 goto errout; 656 } 657 658 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 659 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 660 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 661 goto errout; 662 } 663 664 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 665 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 666 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 667 } 668 669 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 670 * copy on disk before returning. 671 */ 672 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 673 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 674 } 675 676 /* Success! */ 677 rc = 0; 678 679errout: 680 close(fd); 681 return rc; 682} 683 684static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 685{ 686 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 687 crypt_ftr->persist_data_offset[1]) { 688 SLOGE("Crypt_ftr persist data regions overlap"); 689 return -1; 690 } 691 692 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 693 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 694 return -1; 695 } 696 697 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 698 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 699 CRYPT_FOOTER_OFFSET) { 700 SLOGE("Persistent data extends past crypto footer"); 701 return -1; 702 } 703 704 return 0; 705} 706 707static int load_persistent_data(void) 708{ 709 struct crypt_mnt_ftr crypt_ftr; 710 struct crypt_persist_data *pdata = NULL; 711 char encrypted_state[PROPERTY_VALUE_MAX]; 712 char *fname; 713 int found = 0; 714 int fd; 715 int ret; 716 int i; 717 718 if (persist_data) { 719 /* Nothing to do, we've already loaded or initialized it */ 720 return 0; 721 } 722 723 724 /* If not encrypted, just allocate an empty table and initialize it */ 725 property_get("ro.crypto.state", encrypted_state, ""); 726 if (strcmp(encrypted_state, "encrypted") ) { 727 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 728 if (pdata) { 729 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 730 persist_data = pdata; 731 return 0; 732 } 733 return -1; 734 } 735 736 if(get_crypt_ftr_and_key(&crypt_ftr)) { 737 return -1; 738 } 739 740 if ((crypt_ftr.major_version < 1) 741 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 742 SLOGE("Crypt_ftr version doesn't support persistent data"); 743 return -1; 744 } 745 746 if (get_crypt_ftr_info(&fname, NULL)) { 747 return -1; 748 } 749 750 ret = validate_persistent_data_storage(&crypt_ftr); 751 if (ret) { 752 return -1; 753 } 754 755 fd = open(fname, O_RDONLY); 756 if (fd < 0) { 757 SLOGE("Cannot open %s metadata file", fname); 758 return -1; 759 } 760 761 if (persist_data == NULL) { 762 pdata = malloc(crypt_ftr.persist_data_size); 763 if (pdata == NULL) { 764 SLOGE("Cannot allocate memory for persistent data"); 765 goto err; 766 } 767 } 768 769 for (i = 0; i < 2; i++) { 770 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 771 SLOGE("Cannot seek to read persistent data on %s", fname); 772 goto err2; 773 } 774 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 775 SLOGE("Error reading persistent data on iteration %d", i); 776 goto err2; 777 } 778 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 779 found = 1; 780 break; 781 } 782 } 783 784 if (!found) { 785 SLOGI("Could not find valid persistent data, creating"); 786 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 787 } 788 789 /* Success */ 790 persist_data = pdata; 791 close(fd); 792 return 0; 793 794err2: 795 free(pdata); 796 797err: 798 close(fd); 799 return -1; 800} 801 802static int save_persistent_data(void) 803{ 804 struct crypt_mnt_ftr crypt_ftr; 805 struct crypt_persist_data *pdata; 806 char *fname; 807 off64_t write_offset; 808 off64_t erase_offset; 809 int found = 0; 810 int fd; 811 int ret; 812 813 if (persist_data == NULL) { 814 SLOGE("No persistent data to save"); 815 return -1; 816 } 817 818 if(get_crypt_ftr_and_key(&crypt_ftr)) { 819 return -1; 820 } 821 822 if ((crypt_ftr.major_version < 1) 823 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 824 SLOGE("Crypt_ftr version doesn't support persistent data"); 825 return -1; 826 } 827 828 ret = validate_persistent_data_storage(&crypt_ftr); 829 if (ret) { 830 return -1; 831 } 832 833 if (get_crypt_ftr_info(&fname, NULL)) { 834 return -1; 835 } 836 837 fd = open(fname, O_RDWR); 838 if (fd < 0) { 839 SLOGE("Cannot open %s metadata file", fname); 840 return -1; 841 } 842 843 pdata = malloc(crypt_ftr.persist_data_size); 844 if (pdata == NULL) { 845 SLOGE("Cannot allocate persistant data"); 846 goto err; 847 } 848 849 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 850 SLOGE("Cannot seek to read persistent data on %s", fname); 851 goto err2; 852 } 853 854 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 855 SLOGE("Error reading persistent data before save"); 856 goto err2; 857 } 858 859 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 860 /* The first copy is the curent valid copy, so write to 861 * the second copy and erase this one */ 862 write_offset = crypt_ftr.persist_data_offset[1]; 863 erase_offset = crypt_ftr.persist_data_offset[0]; 864 } else { 865 /* The second copy must be the valid copy, so write to 866 * the first copy, and erase the second */ 867 write_offset = crypt_ftr.persist_data_offset[0]; 868 erase_offset = crypt_ftr.persist_data_offset[1]; 869 } 870 871 /* Write the new copy first, if successful, then erase the old copy */ 872 if (lseek(fd, write_offset, SEEK_SET) < 0) { 873 SLOGE("Cannot seek to write persistent data"); 874 goto err2; 875 } 876 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 877 (int) crypt_ftr.persist_data_size) { 878 if (lseek(fd, erase_offset, SEEK_SET) < 0) { 879 SLOGE("Cannot seek to erase previous persistent data"); 880 goto err2; 881 } 882 fsync(fd); 883 memset(pdata, 0, crypt_ftr.persist_data_size); 884 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 885 (int) crypt_ftr.persist_data_size) { 886 SLOGE("Cannot write to erase previous persistent data"); 887 goto err2; 888 } 889 fsync(fd); 890 } else { 891 SLOGE("Cannot write to save persistent data"); 892 goto err2; 893 } 894 895 /* Success */ 896 free(pdata); 897 close(fd); 898 return 0; 899 900err2: 901 free(pdata); 902err: 903 close(fd); 904 return -1; 905} 906 907static int hexdigit (char c) 908{ 909 if (c >= '0' && c <= '9') return c - '0'; 910 c = tolower(c); 911 if (c >= 'a' && c <= 'f') return c - 'a' + 10; 912 return -1; 913} 914 915static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii, 916 unsigned int* out_keysize) 917{ 918 unsigned int i; 919 *out_keysize = 0; 920 921 size_t size = strlen (master_key_ascii); 922 if (size % 2) { 923 SLOGE("Trying to convert ascii string of odd length"); 924 return NULL; 925 } 926 927 unsigned char* master_key = (unsigned char*) malloc(size / 2); 928 if (master_key == 0) { 929 SLOGE("Cannot allocate"); 930 return NULL; 931 } 932 933 for (i = 0; i < size; i += 2) { 934 int high_nibble = hexdigit (master_key_ascii[i]); 935 int low_nibble = hexdigit (master_key_ascii[i + 1]); 936 937 if(high_nibble < 0 || low_nibble < 0) { 938 SLOGE("Invalid hex string"); 939 free (master_key); 940 return NULL; 941 } 942 943 master_key[*out_keysize] = high_nibble * 16 + low_nibble; 944 (*out_keysize)++; 945 } 946 947 return master_key; 948} 949 950/* Convert a binary key of specified length into an ascii hex string equivalent, 951 * without the leading 0x and with null termination 952 */ 953static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize, 954 char *master_key_ascii) 955{ 956 unsigned int i, a; 957 unsigned char nibble; 958 959 for (i=0, a=0; i<keysize; i++, a+=2) { 960 /* For each byte, write out two ascii hex digits */ 961 nibble = (master_key[i] >> 4) & 0xf; 962 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 963 964 nibble = master_key[i] & 0xf; 965 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 966 } 967 968 /* Add the null termination */ 969 master_key_ascii[a] = '\0'; 970 971} 972 973static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 974 char *real_blk_name, const char *name, int fd, 975 char *extra_params) 976{ 977 char buffer[DM_CRYPT_BUF_SIZE]; 978 struct dm_ioctl *io; 979 struct dm_target_spec *tgt; 980 char *crypt_params; 981 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 982 int i; 983 984 io = (struct dm_ioctl *) buffer; 985 986 /* Load the mapping table for this device */ 987 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 988 989 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 990 io->target_count = 1; 991 tgt->status = 0; 992 tgt->sector_start = 0; 993 tgt->length = crypt_ftr->fs_size; 994 strcpy(tgt->target_type, "crypt"); 995 996 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 997 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 998 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 999 master_key_ascii, real_blk_name, extra_params); 1000 crypt_params += strlen(crypt_params) + 1; 1001 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 1002 tgt->next = crypt_params - buffer; 1003 1004 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1005 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1006 break; 1007 } 1008 usleep(500000); 1009 } 1010 1011 if (i == TABLE_LOAD_RETRIES) { 1012 /* We failed to load the table, return an error */ 1013 return -1; 1014 } else { 1015 return i + 1; 1016 } 1017} 1018 1019 1020static int get_dm_crypt_version(int fd, const char *name, int *version) 1021{ 1022 char buffer[DM_CRYPT_BUF_SIZE]; 1023 struct dm_ioctl *io; 1024 struct dm_target_versions *v; 1025 int i; 1026 1027 io = (struct dm_ioctl *) buffer; 1028 1029 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1030 1031 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1032 return -1; 1033 } 1034 1035 /* Iterate over the returned versions, looking for name of "crypt". 1036 * When found, get and return the version. 1037 */ 1038 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1039 while (v->next) { 1040 if (! strcmp(v->name, "crypt")) { 1041 /* We found the crypt driver, return the version, and get out */ 1042 version[0] = v->version[0]; 1043 version[1] = v->version[1]; 1044 version[2] = v->version[2]; 1045 return 0; 1046 } 1047 v = (struct dm_target_versions *)(((char *)v) + v->next); 1048 } 1049 1050 return -1; 1051} 1052 1053static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 1054 char *real_blk_name, char *crypto_blk_name, const char *name) 1055{ 1056 char buffer[DM_CRYPT_BUF_SIZE]; 1057 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 1058 char *crypt_params; 1059 struct dm_ioctl *io; 1060 struct dm_target_spec *tgt; 1061 unsigned int minor; 1062 int fd; 1063 int i; 1064 int retval = -1; 1065 int version[3]; 1066 char *extra_params; 1067 int load_count; 1068 1069 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1070 SLOGE("Cannot open device-mapper\n"); 1071 goto errout; 1072 } 1073 1074 io = (struct dm_ioctl *) buffer; 1075 1076 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1077 if (ioctl(fd, DM_DEV_CREATE, io)) { 1078 SLOGE("Cannot create dm-crypt device\n"); 1079 goto errout; 1080 } 1081 1082 /* Get the device status, in particular, the name of it's device file */ 1083 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1084 if (ioctl(fd, DM_DEV_STATUS, io)) { 1085 SLOGE("Cannot retrieve dm-crypt device status\n"); 1086 goto errout; 1087 } 1088 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1089 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1090 1091 extra_params = ""; 1092 if (! get_dm_crypt_version(fd, name, version)) { 1093 /* Support for allow_discards was added in version 1.11.0 */ 1094 if ((version[0] >= 2) || 1095 ((version[0] == 1) && (version[1] >= 11))) { 1096 extra_params = "1 allow_discards"; 1097 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1098 } 1099 } 1100 1101 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1102 fd, extra_params); 1103 if (load_count < 0) { 1104 SLOGE("Cannot load dm-crypt mapping table.\n"); 1105 goto errout; 1106 } else if (load_count > 1) { 1107 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1108 } 1109 1110 /* Resume this device to activate it */ 1111 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1112 1113 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1114 SLOGE("Cannot resume the dm-crypt device\n"); 1115 goto errout; 1116 } 1117 1118 /* We made it here with no errors. Woot! */ 1119 retval = 0; 1120 1121errout: 1122 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1123 1124 return retval; 1125} 1126 1127static int delete_crypto_blk_dev(char *name) 1128{ 1129 int fd; 1130 char buffer[DM_CRYPT_BUF_SIZE]; 1131 struct dm_ioctl *io; 1132 int retval = -1; 1133 1134 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1135 SLOGE("Cannot open device-mapper\n"); 1136 goto errout; 1137 } 1138 1139 io = (struct dm_ioctl *) buffer; 1140 1141 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1142 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1143 SLOGE("Cannot remove dm-crypt device\n"); 1144 goto errout; 1145 } 1146 1147 /* We made it here with no errors. Woot! */ 1148 retval = 0; 1149 1150errout: 1151 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1152 1153 return retval; 1154 1155} 1156 1157static int pbkdf2(const char *passwd, const unsigned char *salt, 1158 unsigned char *ikey, void *params UNUSED) 1159{ 1160 SLOGI("Using pbkdf2 for cryptfs KDF"); 1161 1162 /* Turn the password into a key and IV that can decrypt the master key */ 1163 unsigned int keysize; 1164 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize); 1165 if (!master_key) return -1; 1166 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN, 1167 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1168 1169 memset(master_key, 0, keysize); 1170 free (master_key); 1171 return 0; 1172} 1173 1174static int scrypt(const char *passwd, const unsigned char *salt, 1175 unsigned char *ikey, void *params) 1176{ 1177 SLOGI("Using scrypt for cryptfs KDF"); 1178 1179 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1180 1181 int N = 1 << ftr->N_factor; 1182 int r = 1 << ftr->r_factor; 1183 int p = 1 << ftr->p_factor; 1184 1185 /* Turn the password into a key and IV that can decrypt the master key */ 1186 unsigned int keysize; 1187 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize); 1188 if (!master_key) return -1; 1189 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey, 1190 KEY_LEN_BYTES + IV_LEN_BYTES); 1191 1192 memset(master_key, 0, keysize); 1193 free (master_key); 1194 return 0; 1195} 1196 1197static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1198 unsigned char *ikey, void *params) 1199{ 1200 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1201 1202 int rc; 1203 unsigned int key_size; 1204 size_t signature_size; 1205 unsigned char* signature; 1206 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1207 1208 int N = 1 << ftr->N_factor; 1209 int r = 1 << ftr->r_factor; 1210 int p = 1 << ftr->p_factor; 1211 1212 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size); 1213 if (!master_key) { 1214 SLOGE("Failed to convert passwd from hex"); 1215 return -1; 1216 } 1217 1218 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN, 1219 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1220 memset(master_key, 0, key_size); 1221 free(master_key); 1222 1223 if (rc) { 1224 SLOGE("scrypt failed"); 1225 return -1; 1226 } 1227 1228 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1229 &signature, &signature_size)) { 1230 SLOGE("Signing failed"); 1231 return -1; 1232 } 1233 1234 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1235 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1236 free(signature); 1237 1238 if (rc) { 1239 SLOGE("scrypt failed"); 1240 return -1; 1241 } 1242 1243 return 0; 1244} 1245 1246static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1247 const unsigned char *decrypted_master_key, 1248 unsigned char *encrypted_master_key, 1249 struct crypt_mnt_ftr *crypt_ftr) 1250{ 1251 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1252 EVP_CIPHER_CTX e_ctx; 1253 int encrypted_len, final_len; 1254 int rc = 0; 1255 1256 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1257 get_device_scrypt_params(crypt_ftr); 1258 1259 switch (crypt_ftr->kdf_type) { 1260 case KDF_SCRYPT_KEYMASTER_UNPADDED: 1261 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 1262 case KDF_SCRYPT_KEYMASTER: 1263 if (keymaster_create_key(crypt_ftr)) { 1264 SLOGE("keymaster_create_key failed"); 1265 return -1; 1266 } 1267 1268 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1269 SLOGE("scrypt failed"); 1270 return -1; 1271 } 1272 break; 1273 1274 case KDF_SCRYPT: 1275 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1276 SLOGE("scrypt failed"); 1277 return -1; 1278 } 1279 break; 1280 1281 default: 1282 SLOGE("Invalid kdf_type"); 1283 return -1; 1284 } 1285 1286 /* Initialize the decryption engine */ 1287 EVP_CIPHER_CTX_init(&e_ctx); 1288 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1289 SLOGE("EVP_EncryptInit failed\n"); 1290 return -1; 1291 } 1292 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1293 1294 /* Encrypt the master key */ 1295 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1296 decrypted_master_key, KEY_LEN_BYTES)) { 1297 SLOGE("EVP_EncryptUpdate failed\n"); 1298 return -1; 1299 } 1300 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1301 SLOGE("EVP_EncryptFinal failed\n"); 1302 return -1; 1303 } 1304 1305 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1306 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1307 return -1; 1308 } 1309 1310 /* Store the scrypt of the intermediate key, so we can validate if it's a 1311 password error or mount error when things go wrong. 1312 Note there's no need to check for errors, since if this is incorrect, we 1313 simply won't wipe userdata, which is the correct default behavior 1314 */ 1315 int N = 1 << crypt_ftr->N_factor; 1316 int r = 1 << crypt_ftr->r_factor; 1317 int p = 1 << crypt_ftr->p_factor; 1318 1319 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1320 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1321 crypt_ftr->scrypted_intermediate_key, 1322 sizeof(crypt_ftr->scrypted_intermediate_key)); 1323 1324 if (rc) { 1325 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1326 } 1327 1328 return 0; 1329} 1330 1331static int decrypt_master_key_aux(char *passwd, unsigned char *salt, 1332 unsigned char *encrypted_master_key, 1333 unsigned char *decrypted_master_key, 1334 kdf_func kdf, void *kdf_params, 1335 unsigned char** intermediate_key, 1336 size_t* intermediate_key_size) 1337{ 1338 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1339 EVP_CIPHER_CTX d_ctx; 1340 int decrypted_len, final_len; 1341 1342 /* Turn the password into an intermediate key and IV that can decrypt the 1343 master key */ 1344 if (kdf(passwd, salt, ikey, kdf_params)) { 1345 SLOGE("kdf failed"); 1346 return -1; 1347 } 1348 1349 /* Initialize the decryption engine */ 1350 EVP_CIPHER_CTX_init(&d_ctx); 1351 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1352 return -1; 1353 } 1354 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1355 /* Decrypt the master key */ 1356 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1357 encrypted_master_key, KEY_LEN_BYTES)) { 1358 return -1; 1359 } 1360 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1361 return -1; 1362 } 1363 1364 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1365 return -1; 1366 } 1367 1368 /* Copy intermediate key if needed by params */ 1369 if (intermediate_key && intermediate_key_size) { 1370 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1371 if (intermediate_key) { 1372 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1373 *intermediate_key_size = KEY_LEN_BYTES; 1374 } 1375 } 1376 1377 return 0; 1378} 1379 1380static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1381{ 1382 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED || 1383 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED || 1384 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1385 *kdf = scrypt_keymaster; 1386 *kdf_params = ftr; 1387 } else if (ftr->kdf_type == KDF_SCRYPT) { 1388 *kdf = scrypt; 1389 *kdf_params = ftr; 1390 } else { 1391 *kdf = pbkdf2; 1392 *kdf_params = NULL; 1393 } 1394} 1395 1396static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key, 1397 struct crypt_mnt_ftr *crypt_ftr, 1398 unsigned char** intermediate_key, 1399 size_t* intermediate_key_size) 1400{ 1401 kdf_func kdf; 1402 void *kdf_params; 1403 int ret; 1404 1405 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1406 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1407 decrypted_master_key, kdf, kdf_params, 1408 intermediate_key, intermediate_key_size); 1409 if (ret != 0) { 1410 SLOGW("failure decrypting master key"); 1411 } 1412 1413 return ret; 1414} 1415 1416static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1417 struct crypt_mnt_ftr *crypt_ftr) { 1418 int fd; 1419 unsigned char key_buf[KEY_LEN_BYTES]; 1420 EVP_CIPHER_CTX e_ctx; 1421 int encrypted_len, final_len; 1422 1423 /* Get some random bits for a key */ 1424 fd = open("/dev/urandom", O_RDONLY); 1425 read(fd, key_buf, sizeof(key_buf)); 1426 read(fd, salt, SALT_LEN); 1427 close(fd); 1428 1429 /* Now encrypt it with the password */ 1430 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1431} 1432 1433static int wait_and_unmount(char *mountpoint, bool kill) 1434{ 1435 int i, err, rc; 1436#define WAIT_UNMOUNT_COUNT 20 1437 1438 /* Now umount the tmpfs filesystem */ 1439 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1440 if (umount(mountpoint) == 0) { 1441 break; 1442 } 1443 1444 if (errno == EINVAL) { 1445 /* EINVAL is returned if the directory is not a mountpoint, 1446 * i.e. there is no filesystem mounted there. So just get out. 1447 */ 1448 break; 1449 } 1450 1451 err = errno; 1452 1453 /* If allowed, be increasingly aggressive before the last two retries */ 1454 if (kill) { 1455 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1456 SLOGW("sending SIGHUP to processes with open files\n"); 1457 vold_killProcessesWithOpenFiles(mountpoint, 1); 1458 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1459 SLOGW("sending SIGKILL to processes with open files\n"); 1460 vold_killProcessesWithOpenFiles(mountpoint, 2); 1461 } 1462 } 1463 1464 sleep(1); 1465 } 1466 1467 if (i < WAIT_UNMOUNT_COUNT) { 1468 SLOGD("unmounting %s succeeded\n", mountpoint); 1469 rc = 0; 1470 } else { 1471 vold_killProcessesWithOpenFiles(mountpoint, 0); 1472 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1473 rc = -1; 1474 } 1475 1476 return rc; 1477} 1478 1479#define DATA_PREP_TIMEOUT 200 1480static int prep_data_fs(void) 1481{ 1482 int i; 1483 1484 /* Do the prep of the /data filesystem */ 1485 property_set("vold.post_fs_data_done", "0"); 1486 property_set("vold.decrypt", "trigger_post_fs_data"); 1487 SLOGD("Just triggered post_fs_data\n"); 1488 1489 /* Wait a max of 50 seconds, hopefully it takes much less */ 1490 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1491 char p[PROPERTY_VALUE_MAX]; 1492 1493 property_get("vold.post_fs_data_done", p, "0"); 1494 if (*p == '1') { 1495 break; 1496 } else { 1497 usleep(250000); 1498 } 1499 } 1500 if (i == DATA_PREP_TIMEOUT) { 1501 /* Ugh, we failed to prep /data in time. Bail. */ 1502 SLOGE("post_fs_data timed out!\n"); 1503 return -1; 1504 } else { 1505 SLOGD("post_fs_data done\n"); 1506 return 0; 1507 } 1508} 1509 1510static void cryptfs_set_corrupt() 1511{ 1512 // Mark the footer as bad 1513 struct crypt_mnt_ftr crypt_ftr; 1514 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1515 SLOGE("Failed to get crypto footer - panic"); 1516 return; 1517 } 1518 1519 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1520 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1521 SLOGE("Failed to set crypto footer - panic"); 1522 return; 1523 } 1524} 1525 1526static void cryptfs_trigger_restart_min_framework() 1527{ 1528 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1529 SLOGE("Failed to mount tmpfs on data - panic"); 1530 return; 1531 } 1532 1533 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1534 SLOGE("Failed to trigger post fs data - panic"); 1535 return; 1536 } 1537 1538 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1539 SLOGE("Failed to trigger restart min framework - panic"); 1540 return; 1541 } 1542} 1543 1544/* returns < 0 on failure */ 1545static int cryptfs_restart_internal(int restart_main) 1546{ 1547 char fs_type[32]; 1548 char real_blkdev[MAXPATHLEN]; 1549 char crypto_blkdev[MAXPATHLEN]; 1550 char fs_options[256]; 1551 unsigned long mnt_flags; 1552 struct stat statbuf; 1553 int rc = -1, i; 1554 static int restart_successful = 0; 1555 1556 /* Validate that it's OK to call this routine */ 1557 if (! master_key_saved) { 1558 SLOGE("Encrypted filesystem not validated, aborting"); 1559 return -1; 1560 } 1561 1562 if (restart_successful) { 1563 SLOGE("System already restarted with encrypted disk, aborting"); 1564 return -1; 1565 } 1566 1567 if (restart_main) { 1568 /* Here is where we shut down the framework. The init scripts 1569 * start all services in one of three classes: core, main or late_start. 1570 * On boot, we start core and main. Now, we stop main, but not core, 1571 * as core includes vold and a few other really important things that 1572 * we need to keep running. Once main has stopped, we should be able 1573 * to umount the tmpfs /data, then mount the encrypted /data. 1574 * We then restart the class main, and also the class late_start. 1575 * At the moment, I've only put a few things in late_start that I know 1576 * are not needed to bring up the framework, and that also cause problems 1577 * with unmounting the tmpfs /data, but I hope to add add more services 1578 * to the late_start class as we optimize this to decrease the delay 1579 * till the user is asked for the password to the filesystem. 1580 */ 1581 1582 /* The init files are setup to stop the class main when vold.decrypt is 1583 * set to trigger_reset_main. 1584 */ 1585 property_set("vold.decrypt", "trigger_reset_main"); 1586 SLOGD("Just asked init to shut down class main\n"); 1587 1588 /* Ugh, shutting down the framework is not synchronous, so until it 1589 * can be fixed, this horrible hack will wait a moment for it all to 1590 * shut down before proceeding. Without it, some devices cannot 1591 * restart the graphics services. 1592 */ 1593 sleep(2); 1594 } 1595 1596 /* Now that the framework is shutdown, we should be able to umount() 1597 * the tmpfs filesystem, and mount the real one. 1598 */ 1599 1600 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1601 if (strlen(crypto_blkdev) == 0) { 1602 SLOGE("fs_crypto_blkdev not set\n"); 1603 return -1; 1604 } 1605 1606 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1607 /* If ro.crypto.readonly is set to 1, mount the decrypted 1608 * filesystem readonly. This is used when /data is mounted by 1609 * recovery mode. 1610 */ 1611 char ro_prop[PROPERTY_VALUE_MAX]; 1612 property_get("ro.crypto.readonly", ro_prop, ""); 1613 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1614 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1615 rec->flags |= MS_RDONLY; 1616 } 1617 1618 /* If that succeeded, then mount the decrypted filesystem */ 1619 int retries = RETRY_MOUNT_ATTEMPTS; 1620 int mount_rc; 1621 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1622 crypto_blkdev, 0)) 1623 != 0) { 1624 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1625 /* TODO: invoke something similar to 1626 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1627 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1628 SLOGI("Failed to mount %s because it is busy - waiting", 1629 crypto_blkdev); 1630 if (--retries) { 1631 sleep(RETRY_MOUNT_DELAY_SECONDS); 1632 } else { 1633 /* Let's hope that a reboot clears away whatever is keeping 1634 the mount busy */ 1635 cryptfs_reboot(reboot); 1636 } 1637 } else { 1638 SLOGE("Failed to mount decrypted data"); 1639 cryptfs_set_corrupt(); 1640 cryptfs_trigger_restart_min_framework(); 1641 SLOGI("Started framework to offer wipe"); 1642 return -1; 1643 } 1644 } 1645 1646 property_set("vold.decrypt", "trigger_load_persist_props"); 1647 /* Create necessary paths on /data */ 1648 if (prep_data_fs()) { 1649 return -1; 1650 } 1651 1652 /* startup service classes main and late_start */ 1653 property_set("vold.decrypt", "trigger_restart_framework"); 1654 SLOGD("Just triggered restart_framework\n"); 1655 1656 /* Give it a few moments to get started */ 1657 sleep(1); 1658 } 1659 1660 if (rc == 0) { 1661 restart_successful = 1; 1662 } 1663 1664 return rc; 1665} 1666 1667int cryptfs_restart(void) 1668{ 1669 /* Call internal implementation forcing a restart of main service group */ 1670 return cryptfs_restart_internal(1); 1671} 1672 1673static int do_crypto_complete(char *mount_point UNUSED) 1674{ 1675 struct crypt_mnt_ftr crypt_ftr; 1676 char encrypted_state[PROPERTY_VALUE_MAX]; 1677 char key_loc[PROPERTY_VALUE_MAX]; 1678 1679 property_get("ro.crypto.state", encrypted_state, ""); 1680 if (strcmp(encrypted_state, "encrypted") ) { 1681 SLOGE("not running with encryption, aborting"); 1682 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1683 } 1684 1685 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1686 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1687 1688 /* 1689 * Only report this error if key_loc is a file and it exists. 1690 * If the device was never encrypted, and /data is not mountable for 1691 * some reason, returning 1 should prevent the UI from presenting the 1692 * a "enter password" screen, or worse, a "press button to wipe the 1693 * device" screen. 1694 */ 1695 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1696 SLOGE("master key file does not exist, aborting"); 1697 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1698 } else { 1699 SLOGE("Error getting crypt footer and key\n"); 1700 return CRYPTO_COMPLETE_BAD_METADATA; 1701 } 1702 } 1703 1704 // Test for possible error flags 1705 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1706 SLOGE("Encryption process is partway completed\n"); 1707 return CRYPTO_COMPLETE_PARTIAL; 1708 } 1709 1710 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1711 SLOGE("Encryption process was interrupted but cannot continue\n"); 1712 return CRYPTO_COMPLETE_INCONSISTENT; 1713 } 1714 1715 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1716 SLOGE("Encryption is successful but data is corrupt\n"); 1717 return CRYPTO_COMPLETE_CORRUPT; 1718 } 1719 1720 /* We passed the test! We shall diminish, and return to the west */ 1721 return CRYPTO_COMPLETE_ENCRYPTED; 1722} 1723 1724static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1725 char *passwd, char *mount_point, char *label) 1726{ 1727 /* Allocate enough space for a 256 bit key, but we may use less */ 1728 unsigned char decrypted_master_key[32]; 1729 char crypto_blkdev[MAXPATHLEN]; 1730 char real_blkdev[MAXPATHLEN]; 1731 char tmp_mount_point[64]; 1732 unsigned int orig_failed_decrypt_count; 1733 int rc; 1734 kdf_func kdf; 1735 void *kdf_params; 1736 int use_keymaster = 0; 1737 int upgrade = 0; 1738 unsigned char* intermediate_key = 0; 1739 size_t intermediate_key_size = 0; 1740 1741 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1742 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1743 1744 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1745 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1746 &intermediate_key, &intermediate_key_size)) { 1747 SLOGE("Failed to decrypt master key\n"); 1748 rc = -1; 1749 goto errout; 1750 } 1751 } 1752 1753 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1754 1755 // Create crypto block device - all (non fatal) code paths 1756 // need it 1757 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1758 real_blkdev, crypto_blkdev, label)) { 1759 SLOGE("Error creating decrypted block device\n"); 1760 rc = -1; 1761 goto errout; 1762 } 1763 1764 /* Work out if the problem is the password or the data */ 1765 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1766 scrypted_intermediate_key)]; 1767 int N = 1 << crypt_ftr->N_factor; 1768 int r = 1 << crypt_ftr->r_factor; 1769 int p = 1 << crypt_ftr->p_factor; 1770 1771 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1772 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1773 N, r, p, scrypted_intermediate_key, 1774 sizeof(scrypted_intermediate_key)); 1775 1776 // Does the key match the crypto footer? 1777 if (rc == 0 && memcmp(scrypted_intermediate_key, 1778 crypt_ftr->scrypted_intermediate_key, 1779 sizeof(scrypted_intermediate_key)) == 0) { 1780 SLOGI("Password matches"); 1781 rc = 0; 1782 } else { 1783 /* Try mounting the file system anyway, just in case the problem's with 1784 * the footer, not the key. */ 1785 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1786 mkdir(tmp_mount_point, 0755); 1787 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1788 SLOGE("Error temp mounting decrypted block device\n"); 1789 delete_crypto_blk_dev(label); 1790 1791 rc = ++crypt_ftr->failed_decrypt_count; 1792 put_crypt_ftr_and_key(crypt_ftr); 1793 } else { 1794 /* Success! */ 1795 SLOGI("Password did not match but decrypted drive mounted - continue"); 1796 umount(tmp_mount_point); 1797 rc = 0; 1798 } 1799 } 1800 1801 if (rc == 0) { 1802 crypt_ftr->failed_decrypt_count = 0; 1803 if (orig_failed_decrypt_count != 0) { 1804 put_crypt_ftr_and_key(crypt_ftr); 1805 } 1806 1807 /* Save the name of the crypto block device 1808 * so we can mount it when restarting the framework. */ 1809 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1810 1811 /* Also save a the master key so we can reencrypted the key 1812 * the key when we want to change the password on it. */ 1813 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1814 saved_mount_point = strdup(mount_point); 1815 master_key_saved = 1; 1816 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1817 rc = 0; 1818 1819 // Upgrade if we're not using the latest KDF. 1820 use_keymaster = keymaster_check_compatibility(); 1821 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1822 // Don't allow downgrade 1823 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1824 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1825 upgrade = 1; 1826 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1827 crypt_ftr->kdf_type = KDF_SCRYPT; 1828 upgrade = 1; 1829 } 1830 1831 if (upgrade) { 1832 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1833 crypt_ftr->master_key, crypt_ftr); 1834 if (!rc) { 1835 rc = put_crypt_ftr_and_key(crypt_ftr); 1836 } 1837 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1838 1839 // Do not fail even if upgrade failed - machine is bootable 1840 // Note that if this code is ever hit, there is a *serious* problem 1841 // since KDFs should never fail. You *must* fix the kdf before 1842 // proceeding! 1843 if (rc) { 1844 SLOGW("Upgrade failed with error %d," 1845 " but continuing with previous state", 1846 rc); 1847 rc = 0; 1848 } 1849 } 1850 } 1851 1852 errout: 1853 if (intermediate_key) { 1854 memset(intermediate_key, 0, intermediate_key_size); 1855 free(intermediate_key); 1856 } 1857 return rc; 1858} 1859 1860/* Called by vold when it wants to undo the crypto mapping of a volume it 1861 * manages. This is usually in response to a factory reset, when we want 1862 * to undo the crypto mapping so the volume is formatted in the clear. 1863 */ 1864int cryptfs_revert_volume(const char *label) 1865{ 1866 return delete_crypto_blk_dev((char *)label); 1867} 1868 1869/* 1870 * Called by vold when it's asked to mount an encrypted, nonremovable volume. 1871 * Setup a dm-crypt mapping, use the saved master key from 1872 * setting up the /data mapping, and return the new device path. 1873 */ 1874int cryptfs_setup_volume(const char *label, int major, int minor, 1875 char *crypto_sys_path, unsigned int max_path, 1876 int *new_major, int *new_minor) 1877{ 1878 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN]; 1879 struct crypt_mnt_ftr sd_crypt_ftr; 1880 struct stat statbuf; 1881 int nr_sec, fd; 1882 1883 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor); 1884 1885 get_crypt_ftr_and_key(&sd_crypt_ftr); 1886 1887 /* Update the fs_size field to be the size of the volume */ 1888 fd = open(real_blkdev, O_RDONLY); 1889 nr_sec = get_blkdev_size(fd); 1890 close(fd); 1891 if (nr_sec == 0) { 1892 SLOGE("Cannot get size of volume %s\n", real_blkdev); 1893 return -1; 1894 } 1895 1896 sd_crypt_ftr.fs_size = nr_sec; 1897 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev, 1898 crypto_blkdev, label); 1899 1900 if (stat(crypto_blkdev, &statbuf) < 0) { 1901 SLOGE("Error get stat for crypto_blkdev %s. err=%d(%s)\n", 1902 crypto_blkdev, errno, strerror(errno)); 1903 } 1904 *new_major = MAJOR(statbuf.st_rdev); 1905 *new_minor = MINOR(statbuf.st_rdev); 1906 1907 /* Create path to sys entry for this block device */ 1908 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1); 1909 1910 return 0; 1911} 1912 1913int cryptfs_crypto_complete(void) 1914{ 1915 return do_crypto_complete("/data"); 1916} 1917 1918int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1919{ 1920 char encrypted_state[PROPERTY_VALUE_MAX]; 1921 property_get("ro.crypto.state", encrypted_state, ""); 1922 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1923 SLOGE("encrypted fs already validated or not running with encryption," 1924 " aborting"); 1925 return -1; 1926 } 1927 1928 if (get_crypt_ftr_and_key(crypt_ftr)) { 1929 SLOGE("Error getting crypt footer and key"); 1930 return -1; 1931 } 1932 1933 return 0; 1934} 1935 1936/* 1937 * TODO - transition patterns to new format in calling code 1938 * and remove this vile hack, and the use of hex in 1939 * the password passing code. 1940 * 1941 * Patterns are passed in zero based (i.e. the top left dot 1942 * is represented by zero, the top middle one etc), but we want 1943 * to store them '1' based. 1944 * This is to allow us to migrate the calling code to use this 1945 * convention. It also solves a nasty problem whereby scrypt ignores 1946 * trailing zeros, so patterns ending at the top left could be 1947 * truncated, and similarly, you could add the top left to any 1948 * pattern and still match. 1949 * adjust_passwd is a hack function that returns the alternate representation 1950 * if the password appears to be a pattern (hex numbers all less than 09) 1951 * If it succeeds we need to try both, and in particular try the alternate 1952 * first. If the original matches, then we need to update the footer 1953 * with the alternate. 1954 * All code that accepts passwords must adjust them first. Since 1955 * cryptfs_check_passwd is always the first function called after a migration 1956 * (and indeed on any boot) we only need to do the double try in this 1957 * function. 1958 */ 1959char* adjust_passwd(const char* passwd) 1960{ 1961 size_t index, length; 1962 1963 if (!passwd) { 1964 return 0; 1965 } 1966 1967 // Check even length. Hex encoded passwords are always 1968 // an even length, since each character encodes to two characters. 1969 length = strlen(passwd); 1970 if (length % 2) { 1971 SLOGW("Password not correctly hex encoded."); 1972 return 0; 1973 } 1974 1975 // Check password is old-style pattern - a collection of hex 1976 // encoded bytes less than 9 (00 through 08) 1977 for (index = 0; index < length; index +=2) { 1978 if (passwd[index] != '0' 1979 || passwd[index + 1] < '0' || passwd[index + 1] > '8') { 1980 return 0; 1981 } 1982 } 1983 1984 // Allocate room for adjusted passwd and null terminate 1985 char* adjusted = malloc(length + 1); 1986 adjusted[length] = 0; 1987 1988 // Add 0x31 ('1') to each character 1989 for (index = 0; index < length; index += 2) { 1990 // output is 31 through 39 so set first byte to three, second to src + 1 1991 adjusted[index] = '3'; 1992 adjusted[index + 1] = passwd[index + 1] + 1; 1993 } 1994 1995 return adjusted; 1996} 1997 1998int cryptfs_check_passwd(char *passwd) 1999{ 2000 struct crypt_mnt_ftr crypt_ftr; 2001 int rc; 2002 2003 rc = check_unmounted_and_get_ftr(&crypt_ftr); 2004 if (rc) 2005 return rc; 2006 2007 char* adjusted_passwd = adjust_passwd(passwd); 2008 if (adjusted_passwd) { 2009 int failed_decrypt_count = crypt_ftr.failed_decrypt_count; 2010 rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd, 2011 DATA_MNT_POINT, "userdata"); 2012 2013 // Maybe the original one still works? 2014 if (rc) { 2015 // Don't double count this failure 2016 crypt_ftr.failed_decrypt_count = failed_decrypt_count; 2017 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2018 DATA_MNT_POINT, "userdata"); 2019 if (!rc) { 2020 // cryptfs_changepw also adjusts so pass original 2021 // Note that adjust_passwd only recognises patterns 2022 // so we can safely use CRYPT_TYPE_PATTERN 2023 SLOGI("Updating pattern to new format"); 2024 cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd); 2025 } 2026 } 2027 free(adjusted_passwd); 2028 } else { 2029 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2030 DATA_MNT_POINT, "userdata"); 2031 } 2032 2033 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2034 cryptfs_clear_password(); 2035 password = strdup(passwd); 2036 struct timespec now; 2037 clock_gettime(CLOCK_BOOTTIME, &now); 2038 password_expiry_time = now.tv_sec + password_max_age_seconds; 2039 } 2040 2041 return rc; 2042} 2043 2044int cryptfs_verify_passwd(char *passwd) 2045{ 2046 struct crypt_mnt_ftr crypt_ftr; 2047 /* Allocate enough space for a 256 bit key, but we may use less */ 2048 unsigned char decrypted_master_key[32]; 2049 char encrypted_state[PROPERTY_VALUE_MAX]; 2050 int rc; 2051 2052 property_get("ro.crypto.state", encrypted_state, ""); 2053 if (strcmp(encrypted_state, "encrypted") ) { 2054 SLOGE("device not encrypted, aborting"); 2055 return -2; 2056 } 2057 2058 if (!master_key_saved) { 2059 SLOGE("encrypted fs not yet mounted, aborting"); 2060 return -1; 2061 } 2062 2063 if (!saved_mount_point) { 2064 SLOGE("encrypted fs failed to save mount point, aborting"); 2065 return -1; 2066 } 2067 2068 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2069 SLOGE("Error getting crypt footer and key\n"); 2070 return -1; 2071 } 2072 2073 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 2074 /* If the device has no password, then just say the password is valid */ 2075 rc = 0; 2076 } else { 2077 char* adjusted_passwd = adjust_passwd(passwd); 2078 if (adjusted_passwd) { 2079 passwd = adjusted_passwd; 2080 } 2081 2082 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2083 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 2084 /* They match, the password is correct */ 2085 rc = 0; 2086 } else { 2087 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 2088 sleep(1); 2089 rc = 1; 2090 } 2091 2092 free(adjusted_passwd); 2093 } 2094 2095 return rc; 2096} 2097 2098/* Initialize a crypt_mnt_ftr structure. The keysize is 2099 * defaulted to 16 bytes, and the filesystem size to 0. 2100 * Presumably, at a minimum, the caller will update the 2101 * filesystem size and crypto_type_name after calling this function. 2102 */ 2103static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 2104{ 2105 off64_t off; 2106 2107 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 2108 ftr->magic = CRYPT_MNT_MAGIC; 2109 ftr->major_version = CURRENT_MAJOR_VERSION; 2110 ftr->minor_version = CURRENT_MINOR_VERSION; 2111 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 2112 ftr->keysize = KEY_LEN_BYTES; 2113 2114 switch (keymaster_check_compatibility()) { 2115 case 1: 2116 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2117 break; 2118 2119 case 0: 2120 ftr->kdf_type = KDF_SCRYPT; 2121 break; 2122 2123 default: 2124 SLOGE("keymaster_check_compatibility failed"); 2125 return -1; 2126 } 2127 2128 get_device_scrypt_params(ftr); 2129 2130 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2131 if (get_crypt_ftr_info(NULL, &off) == 0) { 2132 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2133 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2134 ftr->persist_data_size; 2135 } 2136 2137 return 0; 2138} 2139 2140static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2141{ 2142 const char *args[10]; 2143 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2144 int num_args; 2145 int status; 2146 int tmp; 2147 int rc = -1; 2148 2149 if (type == EXT4_FS) { 2150 args[0] = "/system/bin/make_ext4fs"; 2151 args[1] = "-a"; 2152 args[2] = "/data"; 2153 args[3] = "-l"; 2154 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2155 args[4] = size_str; 2156 args[5] = crypto_blkdev; 2157 num_args = 6; 2158 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2159 args[0], args[1], args[2], args[3], args[4], args[5]); 2160 } else if (type == F2FS_FS) { 2161 args[0] = "/system/bin/mkfs.f2fs"; 2162 args[1] = "-t"; 2163 args[2] = "-d1"; 2164 args[3] = crypto_blkdev; 2165 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2166 args[4] = size_str; 2167 num_args = 5; 2168 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2169 args[0], args[1], args[2], args[3], args[4]); 2170 } else { 2171 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2172 return -1; 2173 } 2174 2175 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2176 2177 if (tmp != 0) { 2178 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2179 } else { 2180 if (WIFEXITED(status)) { 2181 if (WEXITSTATUS(status)) { 2182 SLOGE("Error creating filesystem on %s, exit status %d ", 2183 crypto_blkdev, WEXITSTATUS(status)); 2184 } else { 2185 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2186 rc = 0; 2187 } 2188 } else { 2189 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2190 } 2191 } 2192 2193 return rc; 2194} 2195 2196#define CRYPT_INPLACE_BUFSIZE 4096 2197#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2198#define CRYPT_SECTOR_SIZE 512 2199 2200/* aligned 32K writes tends to make flash happy. 2201 * SD card association recommends it. 2202 */ 2203#define BLOCKS_AT_A_TIME 8 2204 2205struct encryptGroupsData 2206{ 2207 int realfd; 2208 int cryptofd; 2209 off64_t numblocks; 2210 off64_t one_pct, cur_pct, new_pct; 2211 off64_t blocks_already_done, tot_numblocks; 2212 off64_t used_blocks_already_done, tot_used_blocks; 2213 char* real_blkdev, * crypto_blkdev; 2214 int count; 2215 off64_t offset; 2216 char* buffer; 2217 off64_t last_written_sector; 2218 int completed; 2219 time_t time_started; 2220 int remaining_time; 2221}; 2222 2223static void update_progress(struct encryptGroupsData* data, int is_used) 2224{ 2225 data->blocks_already_done++; 2226 2227 if (is_used) { 2228 data->used_blocks_already_done++; 2229 } 2230 if (data->tot_used_blocks) { 2231 data->new_pct = data->used_blocks_already_done / data->one_pct; 2232 } else { 2233 data->new_pct = data->blocks_already_done / data->one_pct; 2234 } 2235 2236 if (data->new_pct > data->cur_pct) { 2237 char buf[8]; 2238 data->cur_pct = data->new_pct; 2239 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2240 property_set("vold.encrypt_progress", buf); 2241 } 2242 2243 if (data->cur_pct >= 5) { 2244 struct timespec time_now; 2245 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) { 2246 SLOGW("Error getting time"); 2247 } else { 2248 double elapsed_time = difftime(time_now.tv_sec, data->time_started); 2249 off64_t remaining_blocks = data->tot_used_blocks 2250 - data->used_blocks_already_done; 2251 int remaining_time = (int)(elapsed_time * remaining_blocks 2252 / data->used_blocks_already_done); 2253 2254 // Change time only if not yet set, lower, or a lot higher for 2255 // best user experience 2256 if (data->remaining_time == -1 2257 || remaining_time < data->remaining_time 2258 || remaining_time > data->remaining_time + 60) { 2259 char buf[8]; 2260 snprintf(buf, sizeof(buf), "%d", remaining_time); 2261 property_set("vold.encrypt_time_remaining", buf); 2262 data->remaining_time = remaining_time; 2263 } 2264 } 2265 } 2266} 2267 2268static void log_progress(struct encryptGroupsData const* data, bool completed) 2269{ 2270 // Precondition - if completed data = 0 else data != 0 2271 2272 // Track progress so we can skip logging blocks 2273 static off64_t offset = -1; 2274 2275 // Need to close existing 'Encrypting from' log? 2276 if (completed || (offset != -1 && data->offset != offset)) { 2277 SLOGI("Encrypted to sector %" PRId64, 2278 offset / info.block_size * CRYPT_SECTOR_SIZE); 2279 offset = -1; 2280 } 2281 2282 // Need to start new 'Encrypting from' log? 2283 if (!completed && offset != data->offset) { 2284 SLOGI("Encrypting from sector %" PRId64, 2285 data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2286 } 2287 2288 // Update offset 2289 if (!completed) { 2290 offset = data->offset + (off64_t)data->count * info.block_size; 2291 } 2292} 2293 2294static int flush_outstanding_data(struct encryptGroupsData* data) 2295{ 2296 if (data->count == 0) { 2297 return 0; 2298 } 2299 2300 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2301 2302 if (pread64(data->realfd, data->buffer, 2303 info.block_size * data->count, data->offset) 2304 <= 0) { 2305 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2306 data->real_blkdev); 2307 return -1; 2308 } 2309 2310 if (pwrite64(data->cryptofd, data->buffer, 2311 info.block_size * data->count, data->offset) 2312 <= 0) { 2313 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2314 data->crypto_blkdev); 2315 return -1; 2316 } else { 2317 log_progress(data, false); 2318 } 2319 2320 data->count = 0; 2321 data->last_written_sector = (data->offset + data->count) 2322 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2323 return 0; 2324} 2325 2326static int encrypt_groups(struct encryptGroupsData* data) 2327{ 2328 unsigned int i; 2329 u8 *block_bitmap = 0; 2330 unsigned int block; 2331 off64_t ret; 2332 int rc = -1; 2333 2334 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2335 if (!data->buffer) { 2336 SLOGE("Failed to allocate crypto buffer"); 2337 goto errout; 2338 } 2339 2340 block_bitmap = malloc(info.block_size); 2341 if (!block_bitmap) { 2342 SLOGE("failed to allocate block bitmap"); 2343 goto errout; 2344 } 2345 2346 for (i = 0; i < aux_info.groups; ++i) { 2347 SLOGI("Encrypting group %d", i); 2348 2349 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2350 u32 block_count = min(info.blocks_per_group, 2351 aux_info.len_blocks - first_block); 2352 2353 off64_t offset = (u64)info.block_size 2354 * aux_info.bg_desc[i].bg_block_bitmap; 2355 2356 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2357 if (ret != (int)info.block_size) { 2358 SLOGE("failed to read all of block group bitmap %d", i); 2359 goto errout; 2360 } 2361 2362 offset = (u64)info.block_size * first_block; 2363 2364 data->count = 0; 2365 2366 for (block = 0; block < block_count; block++) { 2367 int used = bitmap_get_bit(block_bitmap, block); 2368 update_progress(data, used); 2369 if (used) { 2370 if (data->count == 0) { 2371 data->offset = offset; 2372 } 2373 data->count++; 2374 } else { 2375 if (flush_outstanding_data(data)) { 2376 goto errout; 2377 } 2378 } 2379 2380 offset += info.block_size; 2381 2382 /* Write data if we are aligned or buffer size reached */ 2383 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2384 || data->count == BLOCKS_AT_A_TIME) { 2385 if (flush_outstanding_data(data)) { 2386 goto errout; 2387 } 2388 } 2389 2390 if (!is_battery_ok_to_continue()) { 2391 SLOGE("Stopping encryption due to low battery"); 2392 rc = 0; 2393 goto errout; 2394 } 2395 2396 } 2397 if (flush_outstanding_data(data)) { 2398 goto errout; 2399 } 2400 } 2401 2402 data->completed = 1; 2403 rc = 0; 2404 2405errout: 2406 log_progress(0, true); 2407 free(data->buffer); 2408 free(block_bitmap); 2409 return rc; 2410} 2411 2412static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2413 char *real_blkdev, 2414 off64_t size, 2415 off64_t *size_already_done, 2416 off64_t tot_size, 2417 off64_t previously_encrypted_upto) 2418{ 2419 u32 i; 2420 struct encryptGroupsData data; 2421 int rc; // Can't initialize without causing warning -Wclobbered 2422 2423 if (previously_encrypted_upto > *size_already_done) { 2424 SLOGD("Not fast encrypting since resuming part way through"); 2425 return -1; 2426 } 2427 2428 memset(&data, 0, sizeof(data)); 2429 data.real_blkdev = real_blkdev; 2430 data.crypto_blkdev = crypto_blkdev; 2431 2432 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) { 2433 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n", 2434 real_blkdev, errno, strerror(errno)); 2435 rc = -1; 2436 goto errout; 2437 } 2438 2439 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2440 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n", 2441 crypto_blkdev, errno, strerror(errno)); 2442 rc = ENABLE_INPLACE_ERR_DEV; 2443 goto errout; 2444 } 2445 2446 if (setjmp(setjmp_env)) { 2447 SLOGE("Reading ext4 extent caused an exception\n"); 2448 rc = -1; 2449 goto errout; 2450 } 2451 2452 if (read_ext(data.realfd, 0) != 0) { 2453 SLOGE("Failed to read ext4 extent\n"); 2454 rc = -1; 2455 goto errout; 2456 } 2457 2458 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2459 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2460 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2461 2462 SLOGI("Encrypting ext4 filesystem in place..."); 2463 2464 data.tot_used_blocks = data.numblocks; 2465 for (i = 0; i < aux_info.groups; ++i) { 2466 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2467 } 2468 2469 data.one_pct = data.tot_used_blocks / 100; 2470 data.cur_pct = 0; 2471 2472 struct timespec time_started = {0}; 2473 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) { 2474 SLOGW("Error getting time at start"); 2475 // Note - continue anyway - we'll run with 0 2476 } 2477 data.time_started = time_started.tv_sec; 2478 data.remaining_time = -1; 2479 2480 rc = encrypt_groups(&data); 2481 if (rc) { 2482 SLOGE("Error encrypting groups"); 2483 goto errout; 2484 } 2485 2486 *size_already_done += data.completed ? size : data.last_written_sector; 2487 rc = 0; 2488 2489errout: 2490 close(data.realfd); 2491 close(data.cryptofd); 2492 2493 return rc; 2494} 2495 2496static void log_progress_f2fs(u64 block, bool completed) 2497{ 2498 // Precondition - if completed data = 0 else data != 0 2499 2500 // Track progress so we can skip logging blocks 2501 static u64 last_block = (u64)-1; 2502 2503 // Need to close existing 'Encrypting from' log? 2504 if (completed || (last_block != (u64)-1 && block != last_block + 1)) { 2505 SLOGI("Encrypted to block %" PRId64, last_block); 2506 last_block = -1; 2507 } 2508 2509 // Need to start new 'Encrypting from' log? 2510 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) { 2511 SLOGI("Encrypting from block %" PRId64, block); 2512 } 2513 2514 // Update offset 2515 if (!completed) { 2516 last_block = block; 2517 } 2518} 2519 2520static int encrypt_one_block_f2fs(u64 pos, void *data) 2521{ 2522 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2523 2524 priv_dat->blocks_already_done = pos - 1; 2525 update_progress(priv_dat, 1); 2526 2527 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2528 2529 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2530 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2531 return -1; 2532 } 2533 2534 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2535 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2536 return -1; 2537 } else { 2538 log_progress_f2fs(pos, false); 2539 } 2540 2541 return 0; 2542} 2543 2544static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2545 char *real_blkdev, 2546 off64_t size, 2547 off64_t *size_already_done, 2548 off64_t tot_size, 2549 off64_t previously_encrypted_upto) 2550{ 2551 u32 i; 2552 struct encryptGroupsData data; 2553 struct f2fs_info *f2fs_info = NULL; 2554 int rc = ENABLE_INPLACE_ERR_OTHER; 2555 if (previously_encrypted_upto > *size_already_done) { 2556 SLOGD("Not fast encrypting since resuming part way through"); 2557 return ENABLE_INPLACE_ERR_OTHER; 2558 } 2559 memset(&data, 0, sizeof(data)); 2560 data.real_blkdev = real_blkdev; 2561 data.crypto_blkdev = crypto_blkdev; 2562 data.realfd = -1; 2563 data.cryptofd = -1; 2564 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) { 2565 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n", 2566 real_blkdev); 2567 goto errout; 2568 } 2569 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) { 2570 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n", 2571 crypto_blkdev, errno, strerror(errno)); 2572 rc = ENABLE_INPLACE_ERR_DEV; 2573 goto errout; 2574 } 2575 2576 f2fs_info = generate_f2fs_info(data.realfd); 2577 if (!f2fs_info) 2578 goto errout; 2579 2580 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2581 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2582 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2583 2584 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2585 2586 data.one_pct = data.tot_used_blocks / 100; 2587 data.cur_pct = 0; 2588 data.time_started = time(NULL); 2589 data.remaining_time = -1; 2590 2591 data.buffer = malloc(f2fs_info->block_size); 2592 if (!data.buffer) { 2593 SLOGE("Failed to allocate crypto buffer"); 2594 goto errout; 2595 } 2596 2597 data.count = 0; 2598 2599 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2600 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2601 2602 if (rc) { 2603 SLOGE("Error in running over f2fs blocks"); 2604 rc = ENABLE_INPLACE_ERR_OTHER; 2605 goto errout; 2606 } 2607 2608 *size_already_done += size; 2609 rc = 0; 2610 2611errout: 2612 if (rc) 2613 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2614 2615 log_progress_f2fs(0, true); 2616 free(f2fs_info); 2617 free(data.buffer); 2618 close(data.realfd); 2619 close(data.cryptofd); 2620 2621 return rc; 2622} 2623 2624static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2625 off64_t size, off64_t *size_already_done, 2626 off64_t tot_size, 2627 off64_t previously_encrypted_upto) 2628{ 2629 int realfd, cryptofd; 2630 char *buf[CRYPT_INPLACE_BUFSIZE]; 2631 int rc = ENABLE_INPLACE_ERR_OTHER; 2632 off64_t numblocks, i, remainder; 2633 off64_t one_pct, cur_pct, new_pct; 2634 off64_t blocks_already_done, tot_numblocks; 2635 2636 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) { 2637 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2638 return ENABLE_INPLACE_ERR_OTHER; 2639 } 2640 2641 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2642 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n", 2643 crypto_blkdev, errno, strerror(errno)); 2644 close(realfd); 2645 return ENABLE_INPLACE_ERR_DEV; 2646 } 2647 2648 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2649 * The size passed in is the number of 512 byte sectors in the filesystem. 2650 * So compute the number of whole 4K blocks we should read/write, 2651 * and the remainder. 2652 */ 2653 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2654 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2655 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2656 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2657 2658 SLOGE("Encrypting filesystem in place..."); 2659 2660 i = previously_encrypted_upto + 1 - *size_already_done; 2661 2662 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2663 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2664 goto errout; 2665 } 2666 2667 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2668 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2669 goto errout; 2670 } 2671 2672 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2673 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2674 SLOGE("Error reading initial sectors from real_blkdev %s for " 2675 "inplace encrypt\n", crypto_blkdev); 2676 goto errout; 2677 } 2678 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2679 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2680 "inplace encrypt\n", crypto_blkdev); 2681 goto errout; 2682 } else { 2683 SLOGI("Encrypted 1 block at %" PRId64, i); 2684 } 2685 } 2686 2687 one_pct = tot_numblocks / 100; 2688 cur_pct = 0; 2689 /* process the majority of the filesystem in blocks */ 2690 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2691 new_pct = (i + blocks_already_done) / one_pct; 2692 if (new_pct > cur_pct) { 2693 char buf[8]; 2694 2695 cur_pct = new_pct; 2696 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2697 property_set("vold.encrypt_progress", buf); 2698 } 2699 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2700 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2701 goto errout; 2702 } 2703 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2704 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2705 goto errout; 2706 } else { 2707 SLOGD("Encrypted %d block at %" PRId64, 2708 CRYPT_SECTORS_PER_BUFSIZE, 2709 i * CRYPT_SECTORS_PER_BUFSIZE); 2710 } 2711 2712 if (!is_battery_ok_to_continue()) { 2713 SLOGE("Stopping encryption due to low battery"); 2714 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2715 rc = 0; 2716 goto errout; 2717 } 2718 } 2719 2720 /* Do any remaining sectors */ 2721 for (i=0; i<remainder; i++) { 2722 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2723 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2724 goto errout; 2725 } 2726 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2727 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2728 goto errout; 2729 } else { 2730 SLOGI("Encrypted 1 block at next location"); 2731 } 2732 } 2733 2734 *size_already_done += size; 2735 rc = 0; 2736 2737errout: 2738 close(realfd); 2739 close(cryptofd); 2740 2741 return rc; 2742} 2743 2744/* returns on of the ENABLE_INPLACE_* return codes */ 2745static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2746 off64_t size, off64_t *size_already_done, 2747 off64_t tot_size, 2748 off64_t previously_encrypted_upto) 2749{ 2750 int rc_ext4, rc_f2fs, rc_full; 2751 if (previously_encrypted_upto) { 2752 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2753 } 2754 2755 if (*size_already_done + size < previously_encrypted_upto) { 2756 *size_already_done += size; 2757 return 0; 2758 } 2759 2760 /* TODO: identify filesystem type. 2761 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2762 * then we will drop down to cryptfs_enable_inplace_f2fs. 2763 * */ 2764 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2765 size, size_already_done, 2766 tot_size, previously_encrypted_upto)) == 0) { 2767 return 0; 2768 } 2769 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4); 2770 2771 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2772 size, size_already_done, 2773 tot_size, previously_encrypted_upto)) == 0) { 2774 return 0; 2775 } 2776 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs); 2777 2778 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2779 size, size_already_done, tot_size, 2780 previously_encrypted_upto); 2781 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full); 2782 2783 /* Hack for b/17898962, the following is the symptom... */ 2784 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV 2785 && rc_f2fs == ENABLE_INPLACE_ERR_DEV 2786 && rc_full == ENABLE_INPLACE_ERR_DEV) { 2787 return ENABLE_INPLACE_ERR_DEV; 2788 } 2789 return rc_full; 2790} 2791 2792#define CRYPTO_ENABLE_WIPE 1 2793#define CRYPTO_ENABLE_INPLACE 2 2794 2795#define FRAMEWORK_BOOT_WAIT 60 2796 2797static inline int should_encrypt(struct volume_info *volume) 2798{ 2799 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) == 2800 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE); 2801} 2802 2803static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2804{ 2805 int fd = open(filename, O_RDONLY); 2806 if (fd == -1) { 2807 SLOGE("Error opening file %s", filename); 2808 return -1; 2809 } 2810 2811 char block[CRYPT_INPLACE_BUFSIZE]; 2812 memset(block, 0, sizeof(block)); 2813 if (unix_read(fd, block, sizeof(block)) < 0) { 2814 SLOGE("Error reading file %s", filename); 2815 close(fd); 2816 return -1; 2817 } 2818 2819 close(fd); 2820 2821 SHA256_CTX c; 2822 SHA256_Init(&c); 2823 SHA256_Update(&c, block, sizeof(block)); 2824 SHA256_Final(buf, &c); 2825 2826 return 0; 2827} 2828 2829static int get_fs_type(struct fstab_rec *rec) 2830{ 2831 if (!strcmp(rec->fs_type, "ext4")) { 2832 return EXT4_FS; 2833 } else if (!strcmp(rec->fs_type, "f2fs")) { 2834 return F2FS_FS; 2835 } else { 2836 return -1; 2837 } 2838} 2839 2840static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2841 char *crypto_blkdev, char *real_blkdev, 2842 int previously_encrypted_upto) 2843{ 2844 off64_t cur_encryption_done=0, tot_encryption_size=0; 2845 int i, rc = -1; 2846 2847 if (!is_battery_ok_to_start()) { 2848 SLOGW("Not starting encryption due to low battery"); 2849 return 0; 2850 } 2851 2852 /* The size of the userdata partition, and add in the vold volumes below */ 2853 tot_encryption_size = crypt_ftr->fs_size; 2854 2855 if (how == CRYPTO_ENABLE_WIPE) { 2856 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2857 int fs_type = get_fs_type(rec); 2858 if (fs_type < 0) { 2859 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2860 return -1; 2861 } 2862 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2863 } else if (how == CRYPTO_ENABLE_INPLACE) { 2864 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2865 crypt_ftr->fs_size, &cur_encryption_done, 2866 tot_encryption_size, 2867 previously_encrypted_upto); 2868 2869 if (rc == ENABLE_INPLACE_ERR_DEV) { 2870 /* Hack for b/17898962 */ 2871 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2872 cryptfs_reboot(reboot); 2873 } 2874 2875 if (!rc) { 2876 crypt_ftr->encrypted_upto = cur_encryption_done; 2877 } 2878 2879 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2880 /* The inplace routine never actually sets the progress to 100% due 2881 * to the round down nature of integer division, so set it here */ 2882 property_set("vold.encrypt_progress", "100"); 2883 } 2884 } else { 2885 /* Shouldn't happen */ 2886 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2887 rc = -1; 2888 } 2889 2890 return rc; 2891} 2892 2893int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2894 int allow_reboot) 2895{ 2896 int how = 0; 2897 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2898 unsigned long nr_sec; 2899 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2900 int rc=-1, fd, i, ret; 2901 struct crypt_mnt_ftr crypt_ftr; 2902 struct crypt_persist_data *pdata; 2903 char encrypted_state[PROPERTY_VALUE_MAX]; 2904 char lockid[32] = { 0 }; 2905 char key_loc[PROPERTY_VALUE_MAX]; 2906 char fuse_sdcard[PROPERTY_VALUE_MAX]; 2907 char *sd_mnt_point; 2908 int num_vols; 2909 struct volume_info *vol_list = 0; 2910 off64_t previously_encrypted_upto = 0; 2911 2912 if (!strcmp(howarg, "wipe")) { 2913 how = CRYPTO_ENABLE_WIPE; 2914 } else if (! strcmp(howarg, "inplace")) { 2915 how = CRYPTO_ENABLE_INPLACE; 2916 } else { 2917 /* Shouldn't happen, as CommandListener vets the args */ 2918 goto error_unencrypted; 2919 } 2920 2921 /* See if an encryption was underway and interrupted */ 2922 if (how == CRYPTO_ENABLE_INPLACE 2923 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2924 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2925 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2926 crypt_ftr.encrypted_upto = 0; 2927 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2928 2929 /* At this point, we are in an inconsistent state. Until we successfully 2930 complete encryption, a reboot will leave us broken. So mark the 2931 encryption failed in case that happens. 2932 On successfully completing encryption, remove this flag */ 2933 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2934 2935 put_crypt_ftr_and_key(&crypt_ftr); 2936 } 2937 2938 property_get("ro.crypto.state", encrypted_state, ""); 2939 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2940 SLOGE("Device is already running encrypted, aborting"); 2941 goto error_unencrypted; 2942 } 2943 2944 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2945 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2946 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2947 2948 /* Get the size of the real block device */ 2949 fd = open(real_blkdev, O_RDONLY); 2950 if ( (nr_sec = get_blkdev_size(fd)) == 0) { 2951 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2952 goto error_unencrypted; 2953 } 2954 close(fd); 2955 2956 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2957 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2958 unsigned int fs_size_sec, max_fs_size_sec; 2959 fs_size_sec = get_fs_size(real_blkdev); 2960 if (fs_size_sec == 0) 2961 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2962 2963 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2964 2965 if (fs_size_sec > max_fs_size_sec) { 2966 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2967 goto error_unencrypted; 2968 } 2969 } 2970 2971 /* Get a wakelock as this may take a while, and we don't want the 2972 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2973 * wants to keep the screen on, it can grab a full wakelock. 2974 */ 2975 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2976 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2977 2978 /* Get the sdcard mount point */ 2979 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE"); 2980 if (!sd_mnt_point) { 2981 sd_mnt_point = getenv("EXTERNAL_STORAGE"); 2982 } 2983 if (!sd_mnt_point) { 2984 sd_mnt_point = "/mnt/sdcard"; 2985 } 2986 2987 /* TODO 2988 * Currently do not have test devices with multiple encryptable volumes. 2989 * When we acquire some, re-add support. 2990 */ 2991 num_vols=vold_getNumDirectVolumes(); 2992 vol_list = malloc(sizeof(struct volume_info) * num_vols); 2993 vold_getDirectVolumeList(vol_list); 2994 2995 for (i=0; i<num_vols; i++) { 2996 if (should_encrypt(&vol_list[i])) { 2997 SLOGE("Cannot encrypt if there are multiple encryptable volumes" 2998 "%s\n", vol_list[i].label); 2999 goto error_unencrypted; 3000 } 3001 } 3002 3003 /* The init files are setup to stop the class main and late start when 3004 * vold sets trigger_shutdown_framework. 3005 */ 3006 property_set("vold.decrypt", "trigger_shutdown_framework"); 3007 SLOGD("Just asked init to shut down class main\n"); 3008 3009 if (vold_unmountAllAsecs()) { 3010 /* Just report the error. If any are left mounted, 3011 * umounting /data below will fail and handle the error. 3012 */ 3013 SLOGE("Error unmounting internal asecs"); 3014 } 3015 3016 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, ""); 3017 if (!strcmp(fuse_sdcard, "true")) { 3018 /* This is a device using the fuse layer to emulate the sdcard semantics 3019 * on top of the userdata partition. vold does not manage it, it is managed 3020 * by the sdcard service. The sdcard service was killed by the property trigger 3021 * above, so just unmount it now. We must do this _AFTER_ killing the framework, 3022 * unlike the case for vold managed devices above. 3023 */ 3024 if (wait_and_unmount(sd_mnt_point, false)) { 3025 goto error_shutting_down; 3026 } 3027 } 3028 3029 /* Now unmount the /data partition. */ 3030 if (wait_and_unmount(DATA_MNT_POINT, false)) { 3031 if (allow_reboot) { 3032 goto error_shutting_down; 3033 } else { 3034 goto error_unencrypted; 3035 } 3036 } 3037 3038 /* Do extra work for a better UX when doing the long inplace encryption */ 3039 if (how == CRYPTO_ENABLE_INPLACE) { 3040 /* Now that /data is unmounted, we need to mount a tmpfs 3041 * /data, set a property saying we're doing inplace encryption, 3042 * and restart the framework. 3043 */ 3044 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 3045 goto error_shutting_down; 3046 } 3047 /* Tells the framework that inplace encryption is starting */ 3048 property_set("vold.encrypt_progress", "0"); 3049 3050 /* restart the framework. */ 3051 /* Create necessary paths on /data */ 3052 if (prep_data_fs()) { 3053 goto error_shutting_down; 3054 } 3055 3056 /* Ugh, shutting down the framework is not synchronous, so until it 3057 * can be fixed, this horrible hack will wait a moment for it all to 3058 * shut down before proceeding. Without it, some devices cannot 3059 * restart the graphics services. 3060 */ 3061 sleep(2); 3062 3063 /* startup service classes main and late_start */ 3064 property_set("vold.decrypt", "trigger_restart_min_framework"); 3065 SLOGD("Just triggered restart_min_framework\n"); 3066 3067 /* OK, the framework is restarted and will soon be showing a 3068 * progress bar. Time to setup an encrypted mapping, and 3069 * either write a new filesystem, or encrypt in place updating 3070 * the progress bar as we work. 3071 */ 3072 } 3073 3074 /* Start the actual work of making an encrypted filesystem */ 3075 /* Initialize a crypt_mnt_ftr for the partition */ 3076 if (previously_encrypted_upto == 0) { 3077 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 3078 goto error_shutting_down; 3079 } 3080 3081 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 3082 crypt_ftr.fs_size = nr_sec 3083 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3084 } else { 3085 crypt_ftr.fs_size = nr_sec; 3086 } 3087 /* At this point, we are in an inconsistent state. Until we successfully 3088 complete encryption, a reboot will leave us broken. So mark the 3089 encryption failed in case that happens. 3090 On successfully completing encryption, remove this flag */ 3091 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 3092 crypt_ftr.crypt_type = crypt_type; 3093 strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256"); 3094 3095 /* Make an encrypted master key */ 3096 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 3097 SLOGE("Cannot create encrypted master key\n"); 3098 goto error_shutting_down; 3099 } 3100 3101 /* Write the key to the end of the partition */ 3102 put_crypt_ftr_and_key(&crypt_ftr); 3103 3104 /* If any persistent data has been remembered, save it. 3105 * If none, create a valid empty table and save that. 3106 */ 3107 if (!persist_data) { 3108 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 3109 if (pdata) { 3110 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 3111 persist_data = pdata; 3112 } 3113 } 3114 if (persist_data) { 3115 save_persistent_data(); 3116 } 3117 } 3118 3119 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 3120 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 3121 "userdata"); 3122 3123 /* If we are continuing, check checksums match */ 3124 rc = 0; 3125 if (previously_encrypted_upto) { 3126 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 3127 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 3128 3129 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 3130 sizeof(hash_first_block)) != 0) { 3131 SLOGE("Checksums do not match - trigger wipe"); 3132 rc = -1; 3133 } 3134 } 3135 3136 if (!rc) { 3137 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 3138 crypto_blkdev, real_blkdev, 3139 previously_encrypted_upto); 3140 } 3141 3142 /* Calculate checksum if we are not finished */ 3143 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3144 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 3145 crypt_ftr.hash_first_block); 3146 if (rc) { 3147 SLOGE("Error calculating checksum for continuing encryption"); 3148 rc = -1; 3149 } 3150 } 3151 3152 /* Undo the dm-crypt mapping whether we succeed or not */ 3153 delete_crypto_blk_dev("userdata"); 3154 3155 free(vol_list); 3156 3157 if (! rc) { 3158 /* Success */ 3159 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 3160 3161 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3162 SLOGD("Encrypted up to sector %lld - will continue after reboot", 3163 crypt_ftr.encrypted_upto); 3164 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 3165 } 3166 3167 put_crypt_ftr_and_key(&crypt_ftr); 3168 3169 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 3170 char value[PROPERTY_VALUE_MAX]; 3171 property_get("ro.crypto.state", value, ""); 3172 if (!strcmp(value, "")) { 3173 /* default encryption - continue first boot sequence */ 3174 property_set("ro.crypto.state", "encrypted"); 3175 release_wake_lock(lockid); 3176 cryptfs_check_passwd(DEFAULT_PASSWORD); 3177 cryptfs_restart_internal(1); 3178 return 0; 3179 } else { 3180 sleep(2); /* Give the UI a chance to show 100% progress */ 3181 cryptfs_reboot(reboot); 3182 } 3183 } else { 3184 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 3185 cryptfs_reboot(shutdown); 3186 } 3187 } else { 3188 char value[PROPERTY_VALUE_MAX]; 3189 3190 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 3191 if (!strcmp(value, "1")) { 3192 /* wipe data if encryption failed */ 3193 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 3194 mkdir("/cache/recovery", 0700); 3195 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600); 3196 if (fd >= 0) { 3197 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1); 3198 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1); 3199 close(fd); 3200 } else { 3201 SLOGE("could not open /cache/recovery/command\n"); 3202 } 3203 cryptfs_reboot(recovery); 3204 } else { 3205 /* set property to trigger dialog */ 3206 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3207 release_wake_lock(lockid); 3208 } 3209 return -1; 3210 } 3211 3212 /* hrm, the encrypt step claims success, but the reboot failed. 3213 * This should not happen. 3214 * Set the property and return. Hope the framework can deal with it. 3215 */ 3216 property_set("vold.encrypt_progress", "error_reboot_failed"); 3217 release_wake_lock(lockid); 3218 return rc; 3219 3220error_unencrypted: 3221 free(vol_list); 3222 property_set("vold.encrypt_progress", "error_not_encrypted"); 3223 if (lockid[0]) { 3224 release_wake_lock(lockid); 3225 } 3226 return -1; 3227 3228error_shutting_down: 3229 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3230 * but the framework is stopped and not restarted to show the error, so it's up to 3231 * vold to restart the system. 3232 */ 3233 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3234 cryptfs_reboot(reboot); 3235 3236 /* shouldn't get here */ 3237 property_set("vold.encrypt_progress", "error_shutting_down"); 3238 free(vol_list); 3239 if (lockid[0]) { 3240 release_wake_lock(lockid); 3241 } 3242 return -1; 3243} 3244 3245int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 3246{ 3247 char* adjusted_passwd = adjust_passwd(passwd); 3248 if (adjusted_passwd) { 3249 passwd = adjusted_passwd; 3250 } 3251 3252 int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 3253 3254 free(adjusted_passwd); 3255 return rc; 3256} 3257 3258int cryptfs_enable_default(char *howarg, int allow_reboot) 3259{ 3260 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3261 DEFAULT_PASSWORD, allow_reboot); 3262} 3263 3264int cryptfs_changepw(int crypt_type, const char *newpw) 3265{ 3266 struct crypt_mnt_ftr crypt_ftr; 3267 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 3268 3269 /* This is only allowed after we've successfully decrypted the master key */ 3270 if (!master_key_saved) { 3271 SLOGE("Key not saved, aborting"); 3272 return -1; 3273 } 3274 3275 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3276 SLOGE("Invalid crypt_type %d", crypt_type); 3277 return -1; 3278 } 3279 3280 /* get key */ 3281 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3282 SLOGE("Error getting crypt footer and key"); 3283 return -1; 3284 } 3285 3286 crypt_ftr.crypt_type = crypt_type; 3287 3288 char* adjusted_passwd = adjust_passwd(newpw); 3289 if (adjusted_passwd) { 3290 newpw = adjusted_passwd; 3291 } 3292 3293 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3294 : newpw, 3295 crypt_ftr.salt, 3296 saved_master_key, 3297 crypt_ftr.master_key, 3298 &crypt_ftr); 3299 3300 /* save the key */ 3301 put_crypt_ftr_and_key(&crypt_ftr); 3302 3303 free(adjusted_passwd); 3304 return 0; 3305} 3306 3307static unsigned int persist_get_max_entries(int encrypted) { 3308 struct crypt_mnt_ftr crypt_ftr; 3309 unsigned int dsize; 3310 unsigned int max_persistent_entries; 3311 3312 /* If encrypted, use the values from the crypt_ftr, otherwise 3313 * use the values for the current spec. 3314 */ 3315 if (encrypted) { 3316 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3317 return -1; 3318 } 3319 dsize = crypt_ftr.persist_data_size; 3320 } else { 3321 dsize = CRYPT_PERSIST_DATA_SIZE; 3322 } 3323 3324 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3325 sizeof(struct crypt_persist_entry); 3326 3327 return max_persistent_entries; 3328} 3329 3330static int persist_get_key(const char *fieldname, char *value) 3331{ 3332 unsigned int i; 3333 3334 if (persist_data == NULL) { 3335 return -1; 3336 } 3337 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3338 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3339 /* We found it! */ 3340 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3341 return 0; 3342 } 3343 } 3344 3345 return -1; 3346} 3347 3348static int persist_set_key(const char *fieldname, const char *value, int encrypted) 3349{ 3350 unsigned int i; 3351 unsigned int num; 3352 unsigned int max_persistent_entries; 3353 3354 if (persist_data == NULL) { 3355 return -1; 3356 } 3357 3358 max_persistent_entries = persist_get_max_entries(encrypted); 3359 3360 num = persist_data->persist_valid_entries; 3361 3362 for (i = 0; i < num; i++) { 3363 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3364 /* We found an existing entry, update it! */ 3365 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3366 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3367 return 0; 3368 } 3369 } 3370 3371 /* We didn't find it, add it to the end, if there is room */ 3372 if (persist_data->persist_valid_entries < max_persistent_entries) { 3373 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3374 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3375 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3376 persist_data->persist_valid_entries++; 3377 return 0; 3378 } 3379 3380 return -1; 3381} 3382 3383/** 3384 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the 3385 * sequence and its index is greater than or equal to index. Return 0 otherwise. 3386 */ 3387static int match_multi_entry(const char *key, const char *field, unsigned index) { 3388 unsigned int i; 3389 unsigned int field_len; 3390 unsigned int key_index; 3391 field_len = strlen(field); 3392 3393 if (index == 0) { 3394 // The first key in a multi-entry field is just the filedname itself. 3395 if (!strcmp(key, field)) { 3396 return 1; 3397 } 3398 } 3399 // Match key against "%s_%d" % (field, index) 3400 if (strlen(key) < field_len + 1 + 1) { 3401 // Need at least a '_' and a digit. 3402 return 0; 3403 } 3404 if (strncmp(key, field, field_len)) { 3405 // If the key does not begin with field, it's not a match. 3406 return 0; 3407 } 3408 if (1 != sscanf(&key[field_len],"_%d", &key_index)) { 3409 return 0; 3410 } 3411 return key_index >= index; 3412} 3413 3414/* 3415 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all 3416 * remaining entries starting from index will be deleted. 3417 * returns PERSIST_DEL_KEY_OK if deletion succeeds, 3418 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist, 3419 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs. 3420 * 3421 */ 3422static int persist_del_keys(const char *fieldname, unsigned index) 3423{ 3424 unsigned int i; 3425 unsigned int j; 3426 unsigned int num; 3427 3428 if (persist_data == NULL) { 3429 return PERSIST_DEL_KEY_ERROR_OTHER; 3430 } 3431 3432 num = persist_data->persist_valid_entries; 3433 3434 j = 0; // points to the end of non-deleted entries. 3435 // Filter out to-be-deleted entries in place. 3436 for (i = 0; i < num; i++) { 3437 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) { 3438 persist_data->persist_entry[j] = persist_data->persist_entry[i]; 3439 j++; 3440 } 3441 } 3442 3443 if (j < num) { 3444 persist_data->persist_valid_entries = j; 3445 // Zeroise the remaining entries 3446 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry)); 3447 return PERSIST_DEL_KEY_OK; 3448 } else { 3449 // Did not find an entry matching the given fieldname 3450 return PERSIST_DEL_KEY_ERROR_NO_FIELD; 3451 } 3452} 3453 3454static int persist_count_keys(const char *fieldname) 3455{ 3456 unsigned int i; 3457 unsigned int count; 3458 3459 if (persist_data == NULL) { 3460 return -1; 3461 } 3462 3463 count = 0; 3464 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3465 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) { 3466 count++; 3467 } 3468 } 3469 3470 return count; 3471} 3472 3473/* Return the value of the specified field. */ 3474int cryptfs_getfield(const char *fieldname, char *value, int len) 3475{ 3476 char temp_value[PROPERTY_VALUE_MAX]; 3477 char real_blkdev[MAXPATHLEN]; 3478 /* CRYPTO_GETFIELD_OK is success, 3479 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set, 3480 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small, 3481 * CRYPTO_GETFIELD_ERROR_OTHER is any other error 3482 */ 3483 int rc = CRYPTO_GETFIELD_ERROR_OTHER; 3484 int i; 3485 char temp_field[PROPERTY_KEY_MAX]; 3486 3487 if (persist_data == NULL) { 3488 load_persistent_data(); 3489 if (persist_data == NULL) { 3490 SLOGE("Getfield error, cannot load persistent data"); 3491 goto out; 3492 } 3493 } 3494 3495 // Read value from persistent entries. If the original value is split into multiple entries, 3496 // stitch them back together. 3497 if (!persist_get_key(fieldname, temp_value)) { 3498 // We found it, copy it to the caller's buffer and keep going until all entries are read. 3499 if (strlcpy(value, temp_value, len) >= (unsigned) len) { 3500 // value too small 3501 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3502 goto out; 3503 } 3504 rc = CRYPTO_GETFIELD_OK; 3505 3506 for (i = 1; /* break explicitly */; i++) { 3507 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >= 3508 (int) sizeof(temp_field)) { 3509 // If the fieldname is very long, we stop as soon as it begins to overflow the 3510 // maximum field length. At this point we have in fact fully read out the original 3511 // value because cryptfs_setfield would not allow fields with longer names to be 3512 // written in the first place. 3513 break; 3514 } 3515 if (!persist_get_key(temp_field, temp_value)) { 3516 if (strlcat(value, temp_value, len) >= (unsigned)len) { 3517 // value too small. 3518 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3519 goto out; 3520 } 3521 } else { 3522 // Exhaust all entries. 3523 break; 3524 } 3525 } 3526 } else { 3527 /* Sadness, it's not there. Return the error */ 3528 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD; 3529 } 3530 3531out: 3532 return rc; 3533} 3534 3535/* Set the value of the specified field. */ 3536int cryptfs_setfield(const char *fieldname, const char *value) 3537{ 3538 struct crypt_persist_data stored_pdata; 3539 struct crypt_persist_data *pdata_p; 3540 struct crypt_mnt_ftr crypt_ftr; 3541 char encrypted_state[PROPERTY_VALUE_MAX]; 3542 /* 0 is success, negative values are error */ 3543 int rc = CRYPTO_SETFIELD_ERROR_OTHER; 3544 int encrypted = 0; 3545 unsigned int field_id; 3546 char temp_field[PROPERTY_KEY_MAX]; 3547 unsigned int num_entries; 3548 unsigned int max_keylen; 3549 3550 if (persist_data == NULL) { 3551 load_persistent_data(); 3552 if (persist_data == NULL) { 3553 SLOGE("Setfield error, cannot load persistent data"); 3554 goto out; 3555 } 3556 } 3557 3558 property_get("ro.crypto.state", encrypted_state, ""); 3559 if (!strcmp(encrypted_state, "encrypted") ) { 3560 encrypted = 1; 3561 } 3562 3563 // Compute the number of entries required to store value, each entry can store up to 3564 // (PROPERTY_VALUE_MAX - 1) chars 3565 if (strlen(value) == 0) { 3566 // Empty value also needs one entry to store. 3567 num_entries = 1; 3568 } else { 3569 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1); 3570 } 3571 3572 max_keylen = strlen(fieldname); 3573 if (num_entries > 1) { 3574 // Need an extra "_%d" suffix. 3575 max_keylen += 1 + log10(num_entries); 3576 } 3577 if (max_keylen > PROPERTY_KEY_MAX - 1) { 3578 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG; 3579 goto out; 3580 } 3581 3582 // Make sure we have enough space to write the new value 3583 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) > 3584 persist_get_max_entries(encrypted)) { 3585 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG; 3586 goto out; 3587 } 3588 3589 // Now that we know persist_data has enough space for value, let's delete the old field first 3590 // to make up space. 3591 persist_del_keys(fieldname, 0); 3592 3593 if (persist_set_key(fieldname, value, encrypted)) { 3594 // fail to set key, should not happen as we have already checked the available space 3595 SLOGE("persist_set_key() error during setfield()"); 3596 goto out; 3597 } 3598 3599 for (field_id = 1; field_id < num_entries; field_id++) { 3600 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id); 3601 3602 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) { 3603 // fail to set key, should not happen as we have already checked the available space. 3604 SLOGE("persist_set_key() error during setfield()"); 3605 goto out; 3606 } 3607 } 3608 3609 /* If we are running encrypted, save the persistent data now */ 3610 if (encrypted) { 3611 if (save_persistent_data()) { 3612 SLOGE("Setfield error, cannot save persistent data"); 3613 goto out; 3614 } 3615 } 3616 3617 rc = CRYPTO_SETFIELD_OK; 3618 3619out: 3620 return rc; 3621} 3622 3623/* Checks userdata. Attempt to mount the volume if default- 3624 * encrypted. 3625 * On success trigger next init phase and return 0. 3626 * Currently do not handle failure - see TODO below. 3627 */ 3628int cryptfs_mount_default_encrypted(void) 3629{ 3630 char decrypt_state[PROPERTY_VALUE_MAX]; 3631 property_get("vold.decrypt", decrypt_state, "0"); 3632 if (!strcmp(decrypt_state, "0")) { 3633 SLOGE("Not encrypted - should not call here"); 3634 } else { 3635 int crypt_type = cryptfs_get_password_type(); 3636 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3637 SLOGE("Bad crypt type - error"); 3638 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3639 SLOGD("Password is not default - " 3640 "starting min framework to prompt"); 3641 property_set("vold.decrypt", "trigger_restart_min_framework"); 3642 return 0; 3643 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3644 SLOGD("Password is default - restarting filesystem"); 3645 cryptfs_restart_internal(0); 3646 return 0; 3647 } else { 3648 SLOGE("Encrypted, default crypt type but can't decrypt"); 3649 } 3650 } 3651 3652 /** Corrupt. Allow us to boot into framework, which will detect bad 3653 crypto when it calls do_crypto_complete, then do a factory reset 3654 */ 3655 property_set("vold.decrypt", "trigger_restart_min_framework"); 3656 return 0; 3657} 3658 3659/* Returns type of the password, default, pattern, pin or password. 3660 */ 3661int cryptfs_get_password_type(void) 3662{ 3663 struct crypt_mnt_ftr crypt_ftr; 3664 3665 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3666 SLOGE("Error getting crypt footer and key\n"); 3667 return -1; 3668 } 3669 3670 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3671 return -1; 3672 } 3673 3674 return crypt_ftr.crypt_type; 3675} 3676 3677char* cryptfs_get_password() 3678{ 3679 struct timespec now; 3680 clock_gettime(CLOCK_MONOTONIC, &now); 3681 if (now.tv_sec < password_expiry_time) { 3682 return password; 3683 } else { 3684 cryptfs_clear_password(); 3685 return 0; 3686 } 3687} 3688 3689void cryptfs_clear_password() 3690{ 3691 if (password) { 3692 size_t len = strlen(password); 3693 memset(password, 0, len); 3694 free(password); 3695 password = 0; 3696 password_expiry_time = 0; 3697 } 3698} 3699