cryptfs.c revision 8af33350cdd461891e77684fcc5374edd5497140
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <openssl/sha.h> 40#include <errno.h> 41#include <ext4.h> 42#include <linux/kdev_t.h> 43#include <fs_mgr.h> 44#include <time.h> 45#include <math.h> 46#include "cryptfs.h" 47#define LOG_TAG "Cryptfs" 48#include "cutils/log.h" 49#include "cutils/properties.h" 50#include "cutils/android_reboot.h" 51#include "hardware_legacy/power.h" 52#include <logwrap/logwrap.h> 53#include "VolumeManager.h" 54#include "VoldUtil.h" 55#include "crypto_scrypt.h" 56#include "ext4_utils.h" 57#include "f2fs_sparseblock.h" 58#include "CheckBattery.h" 59#include "Process.h" 60 61#include <hardware/keymaster0.h> 62 63#define UNUSED __attribute__((unused)) 64 65#define UNUSED __attribute__((unused)) 66 67#ifdef CONFIG_HW_DISK_ENCRYPTION 68#include "cryptfs_hw.h" 69#endif 70 71#define DM_CRYPT_BUF_SIZE 4096 72 73#define HASH_COUNT 2000 74#define KEY_LEN_BYTES 16 75#define IV_LEN_BYTES 16 76 77#define KEY_IN_FOOTER "footer" 78 79// "default_password" encoded into hex (d=0x64 etc) 80#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264" 81 82#define EXT4_FS 1 83#define F2FS_FS 2 84 85#define TABLE_LOAD_RETRIES 10 86 87#define RSA_KEY_SIZE 2048 88#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 89#define RSA_EXPONENT 0x10001 90 91#define RETRY_MOUNT_ATTEMPTS 10 92#define RETRY_MOUNT_DELAY_SECONDS 1 93 94char *me = "cryptfs"; 95 96static unsigned char saved_master_key[KEY_LEN_BYTES]; 97static char *saved_mount_point; 98static int master_key_saved = 0; 99static struct crypt_persist_data *persist_data = NULL; 100 101static int keymaster_init(keymaster0_device_t **keymaster_dev) 102{ 103 int rc; 104 105 const hw_module_t* mod; 106 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 107 if (rc) { 108 ALOGE("could not find any keystore module"); 109 goto out; 110 } 111 112 rc = keymaster0_open(mod, keymaster_dev); 113 if (rc) { 114 ALOGE("could not open keymaster device in %s (%s)", 115 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 116 goto out; 117 } 118 119 return 0; 120 121out: 122 *keymaster_dev = NULL; 123 return rc; 124} 125 126/* Should we use keymaster? */ 127static int keymaster_check_compatibility() 128{ 129 keymaster0_device_t *keymaster_dev = 0; 130 int rc = 0; 131 132 if (keymaster_init(&keymaster_dev)) { 133 SLOGE("Failed to init keymaster"); 134 rc = -1; 135 goto out; 136 } 137 138 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version); 139 140 if (keymaster_dev->common.module->module_api_version 141 < KEYMASTER_MODULE_API_VERSION_0_3) { 142 rc = 0; 143 goto out; 144 } 145 146 if (!(keymaster_dev->flags & KEYMASTER_SOFTWARE_ONLY) && 147 (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) { 148 rc = 1; 149 } 150 151out: 152 keymaster0_close(keymaster_dev); 153 return rc; 154} 155 156/* Create a new keymaster key and store it in this footer */ 157static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 158{ 159 uint8_t* key = 0; 160 keymaster0_device_t *keymaster_dev = 0; 161 162 if (keymaster_init(&keymaster_dev)) { 163 SLOGE("Failed to init keymaster"); 164 return -1; 165 } 166 167 int rc = 0; 168 169 keymaster_rsa_keygen_params_t params; 170 memset(¶ms, '\0', sizeof(params)); 171 params.public_exponent = RSA_EXPONENT; 172 params.modulus_size = RSA_KEY_SIZE; 173 174 size_t key_size; 175 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms, 176 &key, &key_size)) { 177 SLOGE("Failed to generate keypair"); 178 rc = -1; 179 goto out; 180 } 181 182 if (key_size > KEYMASTER_BLOB_SIZE) { 183 SLOGE("Keymaster key too large for crypto footer"); 184 rc = -1; 185 goto out; 186 } 187 188 memcpy(ftr->keymaster_blob, key, key_size); 189 ftr->keymaster_blob_size = key_size; 190 191out: 192 keymaster0_close(keymaster_dev); 193 free(key); 194 return rc; 195} 196 197/* This signs the given object using the keymaster key. */ 198static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 199 const unsigned char *object, 200 const size_t object_size, 201 unsigned char **signature, 202 size_t *signature_size) 203{ 204 int rc = 0; 205 keymaster0_device_t *keymaster_dev = 0; 206 if (keymaster_init(&keymaster_dev)) { 207 SLOGE("Failed to init keymaster"); 208 return -1; 209 } 210 211 /* We currently set the digest type to DIGEST_NONE because it's the 212 * only supported value for keymaster. A similar issue exists with 213 * PADDING_NONE. Long term both of these should likely change. 214 */ 215 keymaster_rsa_sign_params_t params; 216 params.digest_type = DIGEST_NONE; 217 params.padding_type = PADDING_NONE; 218 219 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 220 size_t to_sign_size = sizeof(to_sign); 221 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 222 223 // To sign a message with RSA, the message must satisfy two 224 // constraints: 225 // 226 // 1. The message, when interpreted as a big-endian numeric value, must 227 // be strictly less than the public modulus of the RSA key. Note 228 // that because the most significant bit of the public modulus is 229 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 230 // key), an n-bit message with most significant bit 0 always 231 // satisfies this requirement. 232 // 233 // 2. The message must have the same length in bits as the public 234 // modulus of the RSA key. This requirement isn't mathematically 235 // necessary, but is necessary to ensure consistency in 236 // implementations. 237 switch (ftr->kdf_type) { 238 case KDF_SCRYPT_KEYMASTER: 239 // This ensures the most significant byte of the signed message 240 // is zero. We could have zero-padded to the left instead, but 241 // this approach is slightly more robust against changes in 242 // object size. However, it's still broken (but not unusably 243 // so) because we really should be using a proper RSA padding 244 // function, such as OAEP. 245 // 246 // TODO(paullawrence): When keymaster 0.4 is available, change 247 // this to use the padding options it provides. 248 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 249 SLOGI("Signing safely-padded object"); 250 break; 251 default: 252 SLOGE("Unknown KDF type %d", ftr->kdf_type); 253 return -1; 254 } 255 256 rc = keymaster_dev->sign_data(keymaster_dev, 257 ¶ms, 258 ftr->keymaster_blob, 259 ftr->keymaster_blob_size, 260 to_sign, 261 to_sign_size, 262 signature, 263 signature_size); 264 265 keymaster0_close(keymaster_dev); 266 return rc; 267} 268 269/* Store password when userdata is successfully decrypted and mounted. 270 * Cleared by cryptfs_clear_password 271 * 272 * To avoid a double prompt at boot, we need to store the CryptKeeper 273 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 274 * Since the entire framework is torn down and rebuilt after encryption, 275 * we have to use a daemon or similar to store the password. Since vold 276 * is secured against IPC except from system processes, it seems a reasonable 277 * place to store this. 278 * 279 * password should be cleared once it has been used. 280 * 281 * password is aged out after password_max_age_seconds seconds. 282 */ 283static char* password = 0; 284static int password_expiry_time = 0; 285static const int password_max_age_seconds = 60; 286 287extern struct fstab *fstab; 288 289enum RebootType {reboot, recovery, shutdown}; 290static void cryptfs_reboot(enum RebootType rt) 291{ 292 switch(rt) { 293 case reboot: 294 property_set(ANDROID_RB_PROPERTY, "reboot"); 295 break; 296 297 case recovery: 298 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 299 break; 300 301 case shutdown: 302 property_set(ANDROID_RB_PROPERTY, "shutdown"); 303 break; 304 } 305 306 sleep(20); 307 308 /* Shouldn't get here, reboot should happen before sleep times out */ 309 return; 310} 311 312static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 313{ 314 memset(io, 0, dataSize); 315 io->data_size = dataSize; 316 io->data_start = sizeof(struct dm_ioctl); 317 io->version[0] = 4; 318 io->version[1] = 0; 319 io->version[2] = 0; 320 io->flags = flags; 321 if (name) { 322 strlcpy(io->name, name, sizeof(io->name)); 323 } 324} 325 326/** 327 * Gets the default device scrypt parameters for key derivation time tuning. 328 * The parameters should lead to about one second derivation time for the 329 * given device. 330 */ 331static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 332 const int default_params[] = SCRYPT_DEFAULTS; 333 int params[] = SCRYPT_DEFAULTS; 334 char paramstr[PROPERTY_VALUE_MAX]; 335 char *token; 336 char *saveptr; 337 int i; 338 339 property_get(SCRYPT_PROP, paramstr, ""); 340 if (paramstr[0] != '\0') { 341 /* 342 * The token we're looking for should be three integers separated by 343 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 344 */ 345 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 346 token != NULL && i < 3; 347 i++, token = strtok_r(NULL, ":", &saveptr)) { 348 char *endptr; 349 params[i] = strtol(token, &endptr, 10); 350 351 /* 352 * Check that there was a valid number and it's 8-bit. If not, 353 * break out and the end check will take the default values. 354 */ 355 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 356 break; 357 } 358 } 359 360 /* 361 * If there were not enough tokens or a token was malformed (not an 362 * integer), it will end up here and the default parameters can be 363 * taken. 364 */ 365 if ((i != 3) || (token != NULL)) { 366 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 367 memcpy(params, default_params, sizeof(params)); 368 } 369 } 370 371 ftr->N_factor = params[0]; 372 ftr->r_factor = params[1]; 373 ftr->p_factor = params[2]; 374} 375 376static unsigned int get_fs_size(char *dev) 377{ 378 int fd, block_size; 379 struct ext4_super_block sb; 380 off64_t len; 381 382 if ((fd = open(dev, O_RDONLY)) < 0) { 383 SLOGE("Cannot open device to get filesystem size "); 384 return 0; 385 } 386 387 if (lseek64(fd, 1024, SEEK_SET) < 0) { 388 SLOGE("Cannot seek to superblock"); 389 return 0; 390 } 391 392 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 393 SLOGE("Cannot read superblock"); 394 return 0; 395 } 396 397 close(fd); 398 399 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 400 SLOGE("Not a valid ext4 superblock"); 401 return 0; 402 } 403 block_size = 1024 << sb.s_log_block_size; 404 /* compute length in bytes */ 405 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 406 407 /* return length in sectors */ 408 return (unsigned int) (len / 512); 409} 410 411static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 412{ 413 static int cached_data = 0; 414 static off64_t cached_off = 0; 415 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 416 int fd; 417 char key_loc[PROPERTY_VALUE_MAX]; 418 char real_blkdev[PROPERTY_VALUE_MAX]; 419 unsigned int nr_sec; 420 int rc = -1; 421 422 if (!cached_data) { 423 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 424 425 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 426 if ( (fd = open(real_blkdev, O_RDWR)) < 0) { 427 SLOGE("Cannot open real block device %s\n", real_blkdev); 428 return -1; 429 } 430 431 if ((nr_sec = get_blkdev_size(fd))) { 432 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 433 * encryption info footer and key, and plenty of bytes to spare for future 434 * growth. 435 */ 436 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 437 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 438 cached_data = 1; 439 } else { 440 SLOGE("Cannot get size of block device %s\n", real_blkdev); 441 } 442 close(fd); 443 } else { 444 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 445 cached_off = 0; 446 cached_data = 1; 447 } 448 } 449 450 if (cached_data) { 451 if (metadata_fname) { 452 *metadata_fname = cached_metadata_fname; 453 } 454 if (off) { 455 *off = cached_off; 456 } 457 rc = 0; 458 } 459 460 return rc; 461} 462 463/* key or salt can be NULL, in which case just skip writing that value. Useful to 464 * update the failed mount count but not change the key. 465 */ 466static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 467{ 468 int fd; 469 unsigned int cnt; 470 /* starting_off is set to the SEEK_SET offset 471 * where the crypto structure starts 472 */ 473 off64_t starting_off; 474 int rc = -1; 475 char *fname = NULL; 476 struct stat statbuf; 477 478 if (get_crypt_ftr_info(&fname, &starting_off)) { 479 SLOGE("Unable to get crypt_ftr_info\n"); 480 return -1; 481 } 482 if (fname[0] != '/') { 483 SLOGE("Unexpected value for crypto key location\n"); 484 return -1; 485 } 486 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) { 487 SLOGE("Cannot open footer file %s for put\n", fname); 488 return -1; 489 } 490 491 /* Seek to the start of the crypt footer */ 492 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 493 SLOGE("Cannot seek to real block device footer\n"); 494 goto errout; 495 } 496 497 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 498 SLOGE("Cannot write real block device footer\n"); 499 goto errout; 500 } 501 502 fstat(fd, &statbuf); 503 /* If the keys are kept on a raw block device, do not try to truncate it. */ 504 if (S_ISREG(statbuf.st_mode)) { 505 if (ftruncate(fd, 0x4000)) { 506 SLOGE("Cannot set footer file size\n"); 507 goto errout; 508 } 509 } 510 511 /* Success! */ 512 rc = 0; 513 514errout: 515 close(fd); 516 return rc; 517 518} 519 520static inline int unix_read(int fd, void* buff, int len) 521{ 522 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 523} 524 525static inline int unix_write(int fd, const void* buff, int len) 526{ 527 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 528} 529 530static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 531{ 532 memset(pdata, 0, len); 533 pdata->persist_magic = PERSIST_DATA_MAGIC; 534 pdata->persist_valid_entries = 0; 535} 536 537/* A routine to update the passed in crypt_ftr to the lastest version. 538 * fd is open read/write on the device that holds the crypto footer and persistent 539 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 540 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 541 */ 542static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 543{ 544 int orig_major = crypt_ftr->major_version; 545 int orig_minor = crypt_ftr->minor_version; 546 547 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 548 struct crypt_persist_data *pdata; 549 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 550 551 SLOGW("upgrading crypto footer to 1.1"); 552 553 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 554 if (pdata == NULL) { 555 SLOGE("Cannot allocate persisent data\n"); 556 return; 557 } 558 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 559 560 /* Need to initialize the persistent data area */ 561 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 562 SLOGE("Cannot seek to persisent data offset\n"); 563 free(pdata); 564 return; 565 } 566 /* Write all zeros to the first copy, making it invalid */ 567 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 568 569 /* Write a valid but empty structure to the second copy */ 570 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 571 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 572 573 /* Update the footer */ 574 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 575 crypt_ftr->persist_data_offset[0] = pdata_offset; 576 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 577 crypt_ftr->minor_version = 1; 578 free(pdata); 579 } 580 581 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 582 SLOGW("upgrading crypto footer to 1.2"); 583 /* But keep the old kdf_type. 584 * It will get updated later to KDF_SCRYPT after the password has been verified. 585 */ 586 crypt_ftr->kdf_type = KDF_PBKDF2; 587 get_device_scrypt_params(crypt_ftr); 588 crypt_ftr->minor_version = 2; 589 } 590 591 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 592 SLOGW("upgrading crypto footer to 1.3"); 593 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 594 crypt_ftr->minor_version = 3; 595 } 596 597 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 598 if (lseek64(fd, offset, SEEK_SET) == -1) { 599 SLOGE("Cannot seek to crypt footer\n"); 600 return; 601 } 602 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 603 } 604} 605 606 607static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 608{ 609 int fd; 610 unsigned int cnt; 611 off64_t starting_off; 612 int rc = -1; 613 char *fname = NULL; 614 struct stat statbuf; 615 616 if (get_crypt_ftr_info(&fname, &starting_off)) { 617 SLOGE("Unable to get crypt_ftr_info\n"); 618 return -1; 619 } 620 if (fname[0] != '/') { 621 SLOGE("Unexpected value for crypto key location\n"); 622 return -1; 623 } 624 if ( (fd = open(fname, O_RDWR)) < 0) { 625 SLOGE("Cannot open footer file %s for get\n", fname); 626 return -1; 627 } 628 629 /* Make sure it's 16 Kbytes in length */ 630 fstat(fd, &statbuf); 631 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 632 SLOGE("footer file %s is not the expected size!\n", fname); 633 goto errout; 634 } 635 636 /* Seek to the start of the crypt footer */ 637 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 638 SLOGE("Cannot seek to real block device footer\n"); 639 goto errout; 640 } 641 642 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 643 SLOGE("Cannot read real block device footer\n"); 644 goto errout; 645 } 646 647 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 648 SLOGE("Bad magic for real block device %s\n", fname); 649 goto errout; 650 } 651 652 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 653 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 654 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 655 goto errout; 656 } 657 658 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 659 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 660 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 661 } 662 663 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 664 * copy on disk before returning. 665 */ 666 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 667 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 668 } 669 670 /* Success! */ 671 rc = 0; 672 673errout: 674 close(fd); 675 return rc; 676} 677 678static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 679{ 680 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 681 crypt_ftr->persist_data_offset[1]) { 682 SLOGE("Crypt_ftr persist data regions overlap"); 683 return -1; 684 } 685 686 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 687 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 688 return -1; 689 } 690 691 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 692 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 693 CRYPT_FOOTER_OFFSET) { 694 SLOGE("Persistent data extends past crypto footer"); 695 return -1; 696 } 697 698 return 0; 699} 700 701static int load_persistent_data(void) 702{ 703 struct crypt_mnt_ftr crypt_ftr; 704 struct crypt_persist_data *pdata = NULL; 705 char encrypted_state[PROPERTY_VALUE_MAX]; 706 char *fname; 707 int found = 0; 708 int fd; 709 int ret; 710 int i; 711 712 if (persist_data) { 713 /* Nothing to do, we've already loaded or initialized it */ 714 return 0; 715 } 716 717 718 /* If not encrypted, just allocate an empty table and initialize it */ 719 property_get("ro.crypto.state", encrypted_state, ""); 720 if (strcmp(encrypted_state, "encrypted") ) { 721 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 722 if (pdata) { 723 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 724 persist_data = pdata; 725 return 0; 726 } 727 return -1; 728 } 729 730 if(get_crypt_ftr_and_key(&crypt_ftr)) { 731 return -1; 732 } 733 734 if ((crypt_ftr.major_version < 1) 735 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 736 SLOGE("Crypt_ftr version doesn't support persistent data"); 737 return -1; 738 } 739 740 if (get_crypt_ftr_info(&fname, NULL)) { 741 return -1; 742 } 743 744 ret = validate_persistent_data_storage(&crypt_ftr); 745 if (ret) { 746 return -1; 747 } 748 749 fd = open(fname, O_RDONLY); 750 if (fd < 0) { 751 SLOGE("Cannot open %s metadata file", fname); 752 return -1; 753 } 754 755 if (persist_data == NULL) { 756 pdata = malloc(crypt_ftr.persist_data_size); 757 if (pdata == NULL) { 758 SLOGE("Cannot allocate memory for persistent data"); 759 goto err; 760 } 761 } 762 763 for (i = 0; i < 2; i++) { 764 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 765 SLOGE("Cannot seek to read persistent data on %s", fname); 766 goto err2; 767 } 768 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 769 SLOGE("Error reading persistent data on iteration %d", i); 770 goto err2; 771 } 772 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 773 found = 1; 774 break; 775 } 776 } 777 778 if (!found) { 779 SLOGI("Could not find valid persistent data, creating"); 780 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 781 } 782 783 /* Success */ 784 persist_data = pdata; 785 close(fd); 786 return 0; 787 788err2: 789 free(pdata); 790 791err: 792 close(fd); 793 return -1; 794} 795 796static int save_persistent_data(void) 797{ 798 struct crypt_mnt_ftr crypt_ftr; 799 struct crypt_persist_data *pdata; 800 char *fname; 801 off64_t write_offset; 802 off64_t erase_offset; 803 int fd; 804 int ret; 805 806 if (persist_data == NULL) { 807 SLOGE("No persistent data to save"); 808 return -1; 809 } 810 811 if(get_crypt_ftr_and_key(&crypt_ftr)) { 812 return -1; 813 } 814 815 if ((crypt_ftr.major_version < 1) 816 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 817 SLOGE("Crypt_ftr version doesn't support persistent data"); 818 return -1; 819 } 820 821 ret = validate_persistent_data_storage(&crypt_ftr); 822 if (ret) { 823 return -1; 824 } 825 826 if (get_crypt_ftr_info(&fname, NULL)) { 827 return -1; 828 } 829 830 fd = open(fname, O_RDWR); 831 if (fd < 0) { 832 SLOGE("Cannot open %s metadata file", fname); 833 return -1; 834 } 835 836 pdata = malloc(crypt_ftr.persist_data_size); 837 if (pdata == NULL) { 838 SLOGE("Cannot allocate persistant data"); 839 goto err; 840 } 841 842 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 843 SLOGE("Cannot seek to read persistent data on %s", fname); 844 goto err2; 845 } 846 847 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 848 SLOGE("Error reading persistent data before save"); 849 goto err2; 850 } 851 852 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 853 /* The first copy is the curent valid copy, so write to 854 * the second copy and erase this one */ 855 write_offset = crypt_ftr.persist_data_offset[1]; 856 erase_offset = crypt_ftr.persist_data_offset[0]; 857 } else { 858 /* The second copy must be the valid copy, so write to 859 * the first copy, and erase the second */ 860 write_offset = crypt_ftr.persist_data_offset[0]; 861 erase_offset = crypt_ftr.persist_data_offset[1]; 862 } 863 864 /* Write the new copy first, if successful, then erase the old copy */ 865 if (lseek64(fd, write_offset, SEEK_SET) < 0) { 866 SLOGE("Cannot seek to write persistent data"); 867 goto err2; 868 } 869 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 870 (int) crypt_ftr.persist_data_size) { 871 if (lseek64(fd, erase_offset, SEEK_SET) < 0) { 872 SLOGE("Cannot seek to erase previous persistent data"); 873 goto err2; 874 } 875 fsync(fd); 876 memset(pdata, 0, crypt_ftr.persist_data_size); 877 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 878 (int) crypt_ftr.persist_data_size) { 879 SLOGE("Cannot write to erase previous persistent data"); 880 goto err2; 881 } 882 fsync(fd); 883 } else { 884 SLOGE("Cannot write to save persistent data"); 885 goto err2; 886 } 887 888 /* Success */ 889 free(pdata); 890 close(fd); 891 return 0; 892 893err2: 894 free(pdata); 895err: 896 close(fd); 897 return -1; 898} 899 900static int hexdigit (char c) 901{ 902 if (c >= '0' && c <= '9') return c - '0'; 903 c = tolower(c); 904 if (c >= 'a' && c <= 'f') return c - 'a' + 10; 905 return -1; 906} 907 908static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii, 909 unsigned int* out_keysize) 910{ 911 unsigned int i; 912 *out_keysize = 0; 913 914 size_t size = strlen (master_key_ascii); 915 if (size % 2) { 916 SLOGE("Trying to convert ascii string of odd length"); 917 return NULL; 918 } 919 920 unsigned char* master_key = (unsigned char*) malloc(size / 2); 921 if (master_key == 0) { 922 SLOGE("Cannot allocate"); 923 return NULL; 924 } 925 926 for (i = 0; i < size; i += 2) { 927 int high_nibble = hexdigit (master_key_ascii[i]); 928 int low_nibble = hexdigit (master_key_ascii[i + 1]); 929 930 if(high_nibble < 0 || low_nibble < 0) { 931 SLOGE("Invalid hex string"); 932 free (master_key); 933 return NULL; 934 } 935 936 master_key[*out_keysize] = high_nibble * 16 + low_nibble; 937 (*out_keysize)++; 938 } 939 940 return master_key; 941} 942 943/* Convert a binary key of specified length into an ascii hex string equivalent, 944 * without the leading 0x and with null termination 945 */ 946static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize, 947 char *master_key_ascii) 948{ 949 unsigned int i, a; 950 unsigned char nibble; 951 952 for (i=0, a=0; i<keysize; i++, a+=2) { 953 /* For each byte, write out two ascii hex digits */ 954 nibble = (master_key[i] >> 4) & 0xf; 955 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 956 957 nibble = master_key[i] & 0xf; 958 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 959 } 960 961 /* Add the null termination */ 962 master_key_ascii[a] = '\0'; 963 964} 965 966static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 967 char *real_blk_name, const char *name, int fd, 968 char *extra_params) 969{ 970 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE]; 971 struct dm_ioctl *io; 972 struct dm_target_spec *tgt; 973 char *crypt_params; 974 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 975 int i; 976 977 io = (struct dm_ioctl *) buffer; 978 979 /* Load the mapping table for this device */ 980 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 981 982 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 983 io->target_count = 1; 984 tgt->status = 0; 985 tgt->sector_start = 0; 986 tgt->length = crypt_ftr->fs_size; 987#ifdef CONFIG_HW_DISK_ENCRYPTION 988 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 989 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME); 990 } 991 else { 992 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 993 } 994#else 995 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 996#endif 997 998 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 999 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 1000 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 1001 master_key_ascii, real_blk_name, extra_params); 1002 crypt_params += strlen(crypt_params) + 1; 1003 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 1004 tgt->next = crypt_params - buffer; 1005 1006 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1007 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1008 break; 1009 } 1010 usleep(500000); 1011 } 1012 1013 if (i == TABLE_LOAD_RETRIES) { 1014 /* We failed to load the table, return an error */ 1015 return -1; 1016 } else { 1017 return i + 1; 1018 } 1019} 1020 1021 1022static int get_dm_crypt_version(int fd, const char *name, int *version) 1023{ 1024 char buffer[DM_CRYPT_BUF_SIZE]; 1025 struct dm_ioctl *io; 1026 struct dm_target_versions *v; 1027 1028 io = (struct dm_ioctl *) buffer; 1029 1030 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1031 1032 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1033 return -1; 1034 } 1035 1036 /* Iterate over the returned versions, looking for name of "crypt". 1037 * When found, get and return the version. 1038 */ 1039 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1040 while (v->next) { 1041#ifdef CONFIG_HW_DISK_ENCRYPTION 1042 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) { 1043#else 1044 if (! strcmp(v->name, "crypt")) { 1045#endif 1046 /* We found the crypt driver, return the version, and get out */ 1047 version[0] = v->version[0]; 1048 version[1] = v->version[1]; 1049 version[2] = v->version[2]; 1050 return 0; 1051 } 1052 v = (struct dm_target_versions *)(((char *)v) + v->next); 1053 } 1054 1055 return -1; 1056} 1057 1058static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 1059 char *real_blk_name, char *crypto_blk_name, const char *name) 1060{ 1061 char buffer[DM_CRYPT_BUF_SIZE]; 1062 struct dm_ioctl *io; 1063 unsigned int minor; 1064 int fd=0; 1065 int retval = -1; 1066 int version[3]; 1067 char *extra_params; 1068 int load_count; 1069 1070 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1071 SLOGE("Cannot open device-mapper\n"); 1072 goto errout; 1073 } 1074 1075 io = (struct dm_ioctl *) buffer; 1076 1077 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1078 if (ioctl(fd, DM_DEV_CREATE, io)) { 1079 SLOGE("Cannot create dm-crypt device\n"); 1080 goto errout; 1081 } 1082 1083 /* Get the device status, in particular, the name of it's device file */ 1084 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1085 if (ioctl(fd, DM_DEV_STATUS, io)) { 1086 SLOGE("Cannot retrieve dm-crypt device status\n"); 1087 goto errout; 1088 } 1089 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1090 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1091 1092 extra_params = ""; 1093 if (! get_dm_crypt_version(fd, name, version)) { 1094 /* Support for allow_discards was added in version 1.11.0 */ 1095 if ((version[0] >= 2) || 1096 ((version[0] == 1) && (version[1] >= 11))) { 1097 extra_params = "1 allow_discards"; 1098 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1099 } 1100 } 1101 1102 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1103 fd, extra_params); 1104 if (load_count < 0) { 1105 SLOGE("Cannot load dm-crypt mapping table.\n"); 1106 goto errout; 1107 } else if (load_count > 1) { 1108 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1109 } 1110 1111 /* Resume this device to activate it */ 1112 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1113 1114 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1115 SLOGE("Cannot resume the dm-crypt device\n"); 1116 goto errout; 1117 } 1118 1119 /* We made it here with no errors. Woot! */ 1120 retval = 0; 1121 1122errout: 1123 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1124 1125 return retval; 1126} 1127 1128static int delete_crypto_blk_dev(char *name) 1129{ 1130 int fd; 1131 char buffer[DM_CRYPT_BUF_SIZE]; 1132 struct dm_ioctl *io; 1133 int retval = -1; 1134 1135 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1136 SLOGE("Cannot open device-mapper\n"); 1137 goto errout; 1138 } 1139 1140 io = (struct dm_ioctl *) buffer; 1141 1142 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1143 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1144 SLOGE("Cannot remove dm-crypt device\n"); 1145 goto errout; 1146 } 1147 1148 /* We made it here with no errors. Woot! */ 1149 retval = 0; 1150 1151errout: 1152 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1153 1154 return retval; 1155 1156} 1157 1158static int pbkdf2(const char *passwd, const unsigned char *salt, 1159 unsigned char *ikey, void *params UNUSED) 1160{ 1161 SLOGI("Using pbkdf2 for cryptfs KDF"); 1162 1163 /* Turn the password into a key and IV that can decrypt the master key */ 1164 unsigned int keysize; 1165 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize); 1166 if (!master_key) return -1; 1167 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN, 1168 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1169 1170 memset(master_key, 0, keysize); 1171 free (master_key); 1172 return 0; 1173} 1174 1175static int scrypt(const char *passwd, const unsigned char *salt, 1176 unsigned char *ikey, void *params) 1177{ 1178 SLOGI("Using scrypt for cryptfs KDF"); 1179 1180 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1181 1182 int N = 1 << ftr->N_factor; 1183 int r = 1 << ftr->r_factor; 1184 int p = 1 << ftr->p_factor; 1185 1186 /* Turn the password into a key and IV that can decrypt the master key */ 1187 unsigned int keysize; 1188 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize); 1189 if (!master_key) return -1; 1190 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey, 1191 KEY_LEN_BYTES + IV_LEN_BYTES); 1192 1193 memset(master_key, 0, keysize); 1194 free (master_key); 1195 return 0; 1196} 1197 1198static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1199 unsigned char *ikey, void *params) 1200{ 1201 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1202 1203 int rc; 1204 unsigned int key_size; 1205 size_t signature_size; 1206 unsigned char* signature; 1207 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1208 1209 int N = 1 << ftr->N_factor; 1210 int r = 1 << ftr->r_factor; 1211 int p = 1 << ftr->p_factor; 1212 1213 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size); 1214 if (!master_key) { 1215 SLOGE("Failed to convert passwd from hex"); 1216 return -1; 1217 } 1218 1219 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN, 1220 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1221 memset(master_key, 0, key_size); 1222 free(master_key); 1223 1224 if (rc) { 1225 SLOGE("scrypt failed"); 1226 return -1; 1227 } 1228 1229 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1230 &signature, &signature_size)) { 1231 SLOGE("Signing failed"); 1232 return -1; 1233 } 1234 1235 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1236 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1237 free(signature); 1238 1239 if (rc) { 1240 SLOGE("scrypt failed"); 1241 return -1; 1242 } 1243 1244 return 0; 1245} 1246 1247static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1248 const unsigned char *decrypted_master_key, 1249 unsigned char *encrypted_master_key, 1250 struct crypt_mnt_ftr *crypt_ftr) 1251{ 1252 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1253 EVP_CIPHER_CTX e_ctx; 1254 int encrypted_len, final_len; 1255 int rc = 0; 1256 1257 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1258 get_device_scrypt_params(crypt_ftr); 1259 1260 switch (crypt_ftr->kdf_type) { 1261 case KDF_SCRYPT_KEYMASTER: 1262 if (keymaster_create_key(crypt_ftr)) { 1263 SLOGE("keymaster_create_key failed"); 1264 return -1; 1265 } 1266 1267 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1268 SLOGE("scrypt failed"); 1269 return -1; 1270 } 1271 break; 1272 1273 case KDF_SCRYPT: 1274 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1275 SLOGE("scrypt failed"); 1276 return -1; 1277 } 1278 break; 1279 1280 default: 1281 SLOGE("Invalid kdf_type"); 1282 return -1; 1283 } 1284 1285 /* Initialize the decryption engine */ 1286 EVP_CIPHER_CTX_init(&e_ctx); 1287 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1288 SLOGE("EVP_EncryptInit failed\n"); 1289 return -1; 1290 } 1291 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1292 1293 /* Encrypt the master key */ 1294 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1295 decrypted_master_key, KEY_LEN_BYTES)) { 1296 SLOGE("EVP_EncryptUpdate failed\n"); 1297 return -1; 1298 } 1299 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1300 SLOGE("EVP_EncryptFinal failed\n"); 1301 return -1; 1302 } 1303 1304 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1305 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1306 return -1; 1307 } 1308 1309 /* Store the scrypt of the intermediate key, so we can validate if it's a 1310 password error or mount error when things go wrong. 1311 Note there's no need to check for errors, since if this is incorrect, we 1312 simply won't wipe userdata, which is the correct default behavior 1313 */ 1314 int N = 1 << crypt_ftr->N_factor; 1315 int r = 1 << crypt_ftr->r_factor; 1316 int p = 1 << crypt_ftr->p_factor; 1317 1318 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1319 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1320 crypt_ftr->scrypted_intermediate_key, 1321 sizeof(crypt_ftr->scrypted_intermediate_key)); 1322 1323 if (rc) { 1324 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1325 } 1326 1327 return 0; 1328} 1329 1330static int decrypt_master_key_aux(char *passwd, unsigned char *salt, 1331 unsigned char *encrypted_master_key, 1332 unsigned char *decrypted_master_key, 1333 kdf_func kdf, void *kdf_params, 1334 unsigned char** intermediate_key, 1335 size_t* intermediate_key_size) 1336{ 1337 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1338 EVP_CIPHER_CTX d_ctx; 1339 int decrypted_len, final_len; 1340 1341 /* Turn the password into an intermediate key and IV that can decrypt the 1342 master key */ 1343 if (kdf(passwd, salt, ikey, kdf_params)) { 1344 SLOGE("kdf failed"); 1345 return -1; 1346 } 1347 1348 /* Initialize the decryption engine */ 1349 EVP_CIPHER_CTX_init(&d_ctx); 1350 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1351 return -1; 1352 } 1353 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1354 /* Decrypt the master key */ 1355 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1356 encrypted_master_key, KEY_LEN_BYTES)) { 1357 return -1; 1358 } 1359 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1360 return -1; 1361 } 1362 1363 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1364 return -1; 1365 } 1366 1367 /* Copy intermediate key if needed by params */ 1368 if (intermediate_key && intermediate_key_size) { 1369 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1370 if (intermediate_key) { 1371 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1372 *intermediate_key_size = KEY_LEN_BYTES; 1373 } 1374 } 1375 1376 return 0; 1377} 1378 1379static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1380{ 1381 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1382 *kdf = scrypt_keymaster; 1383 *kdf_params = ftr; 1384 } else if (ftr->kdf_type == KDF_SCRYPT) { 1385 *kdf = scrypt; 1386 *kdf_params = ftr; 1387 } else { 1388 *kdf = pbkdf2; 1389 *kdf_params = NULL; 1390 } 1391} 1392 1393static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key, 1394 struct crypt_mnt_ftr *crypt_ftr, 1395 unsigned char** intermediate_key, 1396 size_t* intermediate_key_size) 1397{ 1398 kdf_func kdf; 1399 void *kdf_params; 1400 int ret; 1401 1402 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1403 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1404 decrypted_master_key, kdf, kdf_params, 1405 intermediate_key, intermediate_key_size); 1406 if (ret != 0) { 1407 SLOGW("failure decrypting master key"); 1408 } 1409 1410 return ret; 1411} 1412 1413static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1414 struct crypt_mnt_ftr *crypt_ftr) { 1415 int fd; 1416 unsigned char key_buf[KEY_LEN_BYTES]; 1417 1418 /* Get some random bits for a key */ 1419 fd = open("/dev/urandom", O_RDONLY); 1420 read(fd, key_buf, sizeof(key_buf)); 1421 read(fd, salt, SALT_LEN); 1422 close(fd); 1423 1424 /* Now encrypt it with the password */ 1425 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1426} 1427 1428static int wait_and_unmount(char *mountpoint, bool kill) 1429{ 1430 int i, err, rc; 1431#define WAIT_UNMOUNT_COUNT 20 1432 1433 /* Now umount the tmpfs filesystem */ 1434 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1435 if (umount(mountpoint) == 0) { 1436 break; 1437 } 1438 1439 if (errno == EINVAL) { 1440 /* EINVAL is returned if the directory is not a mountpoint, 1441 * i.e. there is no filesystem mounted there. So just get out. 1442 */ 1443 break; 1444 } 1445 1446 err = errno; 1447 1448 /* If allowed, be increasingly aggressive before the last two retries */ 1449 if (kill) { 1450 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1451 SLOGW("sending SIGHUP to processes with open files\n"); 1452 vold_killProcessesWithOpenFiles(mountpoint, 1); 1453 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1454 SLOGW("sending SIGKILL to processes with open files\n"); 1455 vold_killProcessesWithOpenFiles(mountpoint, 2); 1456 } 1457 } 1458 1459 sleep(1); 1460 } 1461 1462 if (i < WAIT_UNMOUNT_COUNT) { 1463 SLOGD("unmounting %s succeeded\n", mountpoint); 1464 rc = 0; 1465 } else { 1466 vold_killProcessesWithOpenFiles(mountpoint, 0); 1467 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1468 rc = -1; 1469 } 1470 1471 return rc; 1472} 1473 1474#define DATA_PREP_TIMEOUT 200 1475static int prep_data_fs(void) 1476{ 1477 int i; 1478 1479 /* Do the prep of the /data filesystem */ 1480 property_set("vold.post_fs_data_done", "0"); 1481 property_set("vold.decrypt", "trigger_post_fs_data"); 1482 SLOGD("Just triggered post_fs_data\n"); 1483 1484 /* Wait a max of 50 seconds, hopefully it takes much less */ 1485 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1486 char p[PROPERTY_VALUE_MAX]; 1487 1488 property_get("vold.post_fs_data_done", p, "0"); 1489 if (*p == '1') { 1490 break; 1491 } else { 1492 usleep(250000); 1493 } 1494 } 1495 if (i == DATA_PREP_TIMEOUT) { 1496 /* Ugh, we failed to prep /data in time. Bail. */ 1497 SLOGE("post_fs_data timed out!\n"); 1498 return -1; 1499 } else { 1500 SLOGD("post_fs_data done\n"); 1501 return 0; 1502 } 1503} 1504 1505static void cryptfs_set_corrupt() 1506{ 1507 // Mark the footer as bad 1508 struct crypt_mnt_ftr crypt_ftr; 1509 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1510 SLOGE("Failed to get crypto footer - panic"); 1511 return; 1512 } 1513 1514 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1515 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1516 SLOGE("Failed to set crypto footer - panic"); 1517 return; 1518 } 1519} 1520 1521static void cryptfs_trigger_restart_min_framework() 1522{ 1523 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1524 SLOGE("Failed to mount tmpfs on data - panic"); 1525 return; 1526 } 1527 1528 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1529 SLOGE("Failed to trigger post fs data - panic"); 1530 return; 1531 } 1532 1533 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1534 SLOGE("Failed to trigger restart min framework - panic"); 1535 return; 1536 } 1537} 1538 1539/* returns < 0 on failure */ 1540static int cryptfs_restart_internal(int restart_main) 1541{ 1542 char crypto_blkdev[MAXPATHLEN]; 1543 int rc = -1; 1544 static int restart_successful = 0; 1545 1546 /* Validate that it's OK to call this routine */ 1547 if (! master_key_saved) { 1548 SLOGE("Encrypted filesystem not validated, aborting"); 1549 return -1; 1550 } 1551 1552 if (restart_successful) { 1553 SLOGE("System already restarted with encrypted disk, aborting"); 1554 return -1; 1555 } 1556 1557 if (restart_main) { 1558 /* Here is where we shut down the framework. The init scripts 1559 * start all services in one of three classes: core, main or late_start. 1560 * On boot, we start core and main. Now, we stop main, but not core, 1561 * as core includes vold and a few other really important things that 1562 * we need to keep running. Once main has stopped, we should be able 1563 * to umount the tmpfs /data, then mount the encrypted /data. 1564 * We then restart the class main, and also the class late_start. 1565 * At the moment, I've only put a few things in late_start that I know 1566 * are not needed to bring up the framework, and that also cause problems 1567 * with unmounting the tmpfs /data, but I hope to add add more services 1568 * to the late_start class as we optimize this to decrease the delay 1569 * till the user is asked for the password to the filesystem. 1570 */ 1571 1572 /* The init files are setup to stop the class main when vold.decrypt is 1573 * set to trigger_reset_main. 1574 */ 1575 property_set("vold.decrypt", "trigger_reset_main"); 1576 SLOGD("Just asked init to shut down class main\n"); 1577 1578 /* Ugh, shutting down the framework is not synchronous, so until it 1579 * can be fixed, this horrible hack will wait a moment for it all to 1580 * shut down before proceeding. Without it, some devices cannot 1581 * restart the graphics services. 1582 */ 1583 sleep(2); 1584 } 1585 1586 /* Now that the framework is shutdown, we should be able to umount() 1587 * the tmpfs filesystem, and mount the real one. 1588 */ 1589 1590 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1591 if (strlen(crypto_blkdev) == 0) { 1592 SLOGE("fs_crypto_blkdev not set\n"); 1593 return -1; 1594 } 1595 1596 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1597 /* If ro.crypto.readonly is set to 1, mount the decrypted 1598 * filesystem readonly. This is used when /data is mounted by 1599 * recovery mode. 1600 */ 1601 char ro_prop[PROPERTY_VALUE_MAX]; 1602 property_get("ro.crypto.readonly", ro_prop, ""); 1603 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1604 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1605 rec->flags |= MS_RDONLY; 1606 } 1607 1608 /* If that succeeded, then mount the decrypted filesystem */ 1609 int retries = RETRY_MOUNT_ATTEMPTS; 1610 int mount_rc; 1611 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1612 crypto_blkdev, 0)) 1613 != 0) { 1614 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1615 /* TODO: invoke something similar to 1616 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1617 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1618 SLOGI("Failed to mount %s because it is busy - waiting", 1619 crypto_blkdev); 1620 if (--retries) { 1621 sleep(RETRY_MOUNT_DELAY_SECONDS); 1622 } else { 1623 /* Let's hope that a reboot clears away whatever is keeping 1624 the mount busy */ 1625 cryptfs_reboot(reboot); 1626 } 1627 } else { 1628 SLOGE("Failed to mount decrypted data"); 1629 cryptfs_set_corrupt(); 1630 cryptfs_trigger_restart_min_framework(); 1631 SLOGI("Started framework to offer wipe"); 1632 return -1; 1633 } 1634 } 1635 1636 property_set("vold.decrypt", "trigger_load_persist_props"); 1637 /* Create necessary paths on /data */ 1638 if (prep_data_fs()) { 1639 return -1; 1640 } 1641 1642 /* startup service classes main and late_start */ 1643 property_set("vold.decrypt", "trigger_restart_framework"); 1644 SLOGD("Just triggered restart_framework\n"); 1645 1646 /* Give it a few moments to get started */ 1647 sleep(1); 1648 } 1649 1650 if (rc == 0) { 1651 restart_successful = 1; 1652 } 1653 1654 return rc; 1655} 1656 1657int cryptfs_restart(void) 1658{ 1659 /* Call internal implementation forcing a restart of main service group */ 1660 return cryptfs_restart_internal(1); 1661} 1662 1663static int do_crypto_complete(char *mount_point UNUSED) 1664{ 1665 struct crypt_mnt_ftr crypt_ftr; 1666 char encrypted_state[PROPERTY_VALUE_MAX]; 1667 char key_loc[PROPERTY_VALUE_MAX]; 1668 1669 property_get("ro.crypto.state", encrypted_state, ""); 1670 if (strcmp(encrypted_state, "encrypted") ) { 1671 SLOGE("not running with encryption, aborting"); 1672 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1673 } 1674 1675 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1676 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1677 1678 /* 1679 * Only report this error if key_loc is a file and it exists. 1680 * If the device was never encrypted, and /data is not mountable for 1681 * some reason, returning 1 should prevent the UI from presenting the 1682 * a "enter password" screen, or worse, a "press button to wipe the 1683 * device" screen. 1684 */ 1685 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1686 SLOGE("master key file does not exist, aborting"); 1687 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1688 } else { 1689 SLOGE("Error getting crypt footer and key\n"); 1690 return CRYPTO_COMPLETE_BAD_METADATA; 1691 } 1692 } 1693 1694 // Test for possible error flags 1695 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1696 SLOGE("Encryption process is partway completed\n"); 1697 return CRYPTO_COMPLETE_PARTIAL; 1698 } 1699 1700 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1701 SLOGE("Encryption process was interrupted but cannot continue\n"); 1702 return CRYPTO_COMPLETE_INCONSISTENT; 1703 } 1704 1705 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1706 SLOGE("Encryption is successful but data is corrupt\n"); 1707 return CRYPTO_COMPLETE_CORRUPT; 1708 } 1709 1710 /* We passed the test! We shall diminish, and return to the west */ 1711 return CRYPTO_COMPLETE_ENCRYPTED; 1712} 1713 1714static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1715 char *passwd, char *mount_point, char *label) 1716{ 1717 /* Allocate enough space for a 256 bit key, but we may use less */ 1718 unsigned char decrypted_master_key[32]; 1719 char crypto_blkdev[MAXPATHLEN]; 1720 char real_blkdev[MAXPATHLEN]; 1721 char tmp_mount_point[64]; 1722 unsigned int orig_failed_decrypt_count; 1723 int rc; 1724 int use_keymaster = 0; 1725 int upgrade = 0; 1726 unsigned char* intermediate_key = 0; 1727 size_t intermediate_key_size = 0; 1728 1729 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1730 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1731 1732 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1733 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1734 &intermediate_key, &intermediate_key_size)) { 1735 SLOGE("Failed to decrypt master key\n"); 1736 rc = -1; 1737 goto errout; 1738 } 1739 } 1740 1741 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1742 1743#ifdef CONFIG_HW_DISK_ENCRYPTION 1744 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1745 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) { 1746 SLOGE("Hardware encryption key does not match"); 1747 } 1748 } 1749#endif 1750 1751 // Create crypto block device - all (non fatal) code paths 1752 // need it 1753 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1754 real_blkdev, crypto_blkdev, label)) { 1755 SLOGE("Error creating decrypted block device\n"); 1756 rc = -1; 1757 goto errout; 1758 } 1759 1760 /* Work out if the problem is the password or the data */ 1761 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1762 scrypted_intermediate_key)]; 1763 int N = 1 << crypt_ftr->N_factor; 1764 int r = 1 << crypt_ftr->r_factor; 1765 int p = 1 << crypt_ftr->p_factor; 1766 1767 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1768 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1769 N, r, p, scrypted_intermediate_key, 1770 sizeof(scrypted_intermediate_key)); 1771 1772 // Does the key match the crypto footer? 1773 if (rc == 0 && memcmp(scrypted_intermediate_key, 1774 crypt_ftr->scrypted_intermediate_key, 1775 sizeof(scrypted_intermediate_key)) == 0) { 1776 SLOGI("Password matches"); 1777 rc = 0; 1778 } else { 1779 /* Try mounting the file system anyway, just in case the problem's with 1780 * the footer, not the key. */ 1781 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1782 mkdir(tmp_mount_point, 0755); 1783 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1784 SLOGE("Error temp mounting decrypted block device\n"); 1785 delete_crypto_blk_dev(label); 1786 1787 rc = ++crypt_ftr->failed_decrypt_count; 1788 put_crypt_ftr_and_key(crypt_ftr); 1789 } else { 1790 /* Success! */ 1791 SLOGI("Password did not match but decrypted drive mounted - continue"); 1792 umount(tmp_mount_point); 1793 rc = 0; 1794 } 1795 } 1796 1797 if (rc == 0) { 1798 crypt_ftr->failed_decrypt_count = 0; 1799 if (orig_failed_decrypt_count != 0) { 1800 put_crypt_ftr_and_key(crypt_ftr); 1801 } 1802 1803 /* Save the name of the crypto block device 1804 * so we can mount it when restarting the framework. */ 1805 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1806 1807 /* Also save a the master key so we can reencrypted the key 1808 * the key when we want to change the password on it. */ 1809 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1810 saved_mount_point = strdup(mount_point); 1811 master_key_saved = 1; 1812 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1813 rc = 0; 1814 1815 // Upgrade if we're not using the latest KDF. 1816 use_keymaster = keymaster_check_compatibility(); 1817 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1818 // Don't allow downgrade 1819 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1820 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1821 upgrade = 1; 1822 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1823 crypt_ftr->kdf_type = KDF_SCRYPT; 1824 upgrade = 1; 1825 } 1826 1827 if (upgrade) { 1828 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1829 crypt_ftr->master_key, crypt_ftr); 1830 if (!rc) { 1831 rc = put_crypt_ftr_and_key(crypt_ftr); 1832 } 1833 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1834 1835 // Do not fail even if upgrade failed - machine is bootable 1836 // Note that if this code is ever hit, there is a *serious* problem 1837 // since KDFs should never fail. You *must* fix the kdf before 1838 // proceeding! 1839 if (rc) { 1840 SLOGW("Upgrade failed with error %d," 1841 " but continuing with previous state", 1842 rc); 1843 rc = 0; 1844 } 1845 } 1846 } 1847 1848 errout: 1849 if (intermediate_key) { 1850 memset(intermediate_key, 0, intermediate_key_size); 1851 free(intermediate_key); 1852 } 1853 return rc; 1854} 1855 1856/* Called by vold when it wants to undo the crypto mapping of a volume it 1857 * manages. This is usually in response to a factory reset, when we want 1858 * to undo the crypto mapping so the volume is formatted in the clear. 1859 */ 1860int cryptfs_revert_volume(const char *label) 1861{ 1862 return delete_crypto_blk_dev((char *)label); 1863} 1864 1865/* 1866 * Called by vold when it's asked to mount an encrypted, nonremovable volume. 1867 * Setup a dm-crypt mapping, use the saved master key from 1868 * setting up the /data mapping, and return the new device path. 1869 */ 1870int cryptfs_setup_volume(const char *label, int major, int minor, 1871 char *crypto_sys_path, unsigned int max_path, 1872 int *new_major, int *new_minor) 1873{ 1874 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN]; 1875 struct crypt_mnt_ftr sd_crypt_ftr; 1876 struct stat statbuf; 1877 unsigned int nr_sec; 1878 int fd; 1879 1880 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor); 1881 1882 get_crypt_ftr_and_key(&sd_crypt_ftr); 1883 1884 /* Update the fs_size field to be the size of the volume */ 1885 fd = open(real_blkdev, O_RDONLY); 1886 nr_sec = get_blkdev_size(fd); 1887 close(fd); 1888 if (nr_sec == 0) { 1889 SLOGE("Cannot get size of volume %s\n", real_blkdev); 1890 return -1; 1891 } 1892 1893 sd_crypt_ftr.fs_size = nr_sec; 1894 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev, 1895 crypto_blkdev, label); 1896 1897 if (stat(crypto_blkdev, &statbuf) < 0) { 1898 SLOGE("Error get stat for crypto_blkdev %s. err=%d(%s)\n", 1899 crypto_blkdev, errno, strerror(errno)); 1900 } 1901 *new_major = MAJOR(statbuf.st_rdev); 1902 *new_minor = MINOR(statbuf.st_rdev); 1903 1904 /* Create path to sys entry for this block device */ 1905 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1); 1906 1907 return 0; 1908} 1909 1910int cryptfs_crypto_complete(void) 1911{ 1912 return do_crypto_complete("/data"); 1913} 1914 1915int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1916{ 1917 char encrypted_state[PROPERTY_VALUE_MAX]; 1918 property_get("ro.crypto.state", encrypted_state, ""); 1919 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1920 SLOGE("encrypted fs already validated or not running with encryption," 1921 " aborting"); 1922 return -1; 1923 } 1924 1925 if (get_crypt_ftr_and_key(crypt_ftr)) { 1926 SLOGE("Error getting crypt footer and key"); 1927 return -1; 1928 } 1929 1930 return 0; 1931} 1932 1933/* 1934 * TODO - transition patterns to new format in calling code 1935 * and remove this vile hack, and the use of hex in 1936 * the password passing code. 1937 * 1938 * Patterns are passed in zero based (i.e. the top left dot 1939 * is represented by zero, the top middle one etc), but we want 1940 * to store them '1' based. 1941 * This is to allow us to migrate the calling code to use this 1942 * convention. It also solves a nasty problem whereby scrypt ignores 1943 * trailing zeros, so patterns ending at the top left could be 1944 * truncated, and similarly, you could add the top left to any 1945 * pattern and still match. 1946 * adjust_passwd is a hack function that returns the alternate representation 1947 * if the password appears to be a pattern (hex numbers all less than 09) 1948 * If it succeeds we need to try both, and in particular try the alternate 1949 * first. If the original matches, then we need to update the footer 1950 * with the alternate. 1951 * All code that accepts passwords must adjust them first. Since 1952 * cryptfs_check_passwd is always the first function called after a migration 1953 * (and indeed on any boot) we only need to do the double try in this 1954 * function. 1955 */ 1956char* adjust_passwd(const char* passwd) 1957{ 1958 size_t index, length; 1959 1960 if (!passwd) { 1961 return 0; 1962 } 1963 1964 // Check even length. Hex encoded passwords are always 1965 // an even length, since each character encodes to two characters. 1966 length = strlen(passwd); 1967 if (length % 2) { 1968 SLOGW("Password not correctly hex encoded."); 1969 return 0; 1970 } 1971 1972 // Check password is old-style pattern - a collection of hex 1973 // encoded bytes less than 9 (00 through 08) 1974 for (index = 0; index < length; index +=2) { 1975 if (passwd[index] != '0' 1976 || passwd[index + 1] < '0' || passwd[index + 1] > '8') { 1977 return 0; 1978 } 1979 } 1980 1981 // Allocate room for adjusted passwd and null terminate 1982 char* adjusted = malloc(length + 1); 1983 adjusted[length] = 0; 1984 1985 // Add 0x31 ('1') to each character 1986 for (index = 0; index < length; index += 2) { 1987 // output is 31 through 39 so set first byte to three, second to src + 1 1988 adjusted[index] = '3'; 1989 adjusted[index + 1] = passwd[index + 1] + 1; 1990 } 1991 1992 return adjusted; 1993} 1994 1995int cryptfs_check_passwd(char *passwd) 1996{ 1997 struct crypt_mnt_ftr crypt_ftr; 1998 int rc; 1999 2000 rc = check_unmounted_and_get_ftr(&crypt_ftr); 2001 if (rc) 2002 return rc; 2003 2004 char* adjusted_passwd = adjust_passwd(passwd); 2005 if (adjusted_passwd) { 2006 int failed_decrypt_count = crypt_ftr.failed_decrypt_count; 2007 rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd, 2008 DATA_MNT_POINT, "userdata"); 2009 2010 // Maybe the original one still works? 2011 if (rc) { 2012 // Don't double count this failure 2013 crypt_ftr.failed_decrypt_count = failed_decrypt_count; 2014 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2015 DATA_MNT_POINT, "userdata"); 2016 if (!rc) { 2017 // cryptfs_changepw also adjusts so pass original 2018 // Note that adjust_passwd only recognises patterns 2019 // so we can safely use CRYPT_TYPE_PATTERN 2020 SLOGI("Updating pattern to new format"); 2021 cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd); 2022 } 2023 } 2024 free(adjusted_passwd); 2025 } else { 2026 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2027 DATA_MNT_POINT, "userdata"); 2028 } 2029 2030 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2031 cryptfs_clear_password(); 2032 password = strdup(passwd); 2033 struct timespec now; 2034 clock_gettime(CLOCK_BOOTTIME, &now); 2035 password_expiry_time = now.tv_sec + password_max_age_seconds; 2036 } 2037 2038 return rc; 2039} 2040 2041int cryptfs_verify_passwd(char *passwd) 2042{ 2043 struct crypt_mnt_ftr crypt_ftr; 2044 /* Allocate enough space for a 256 bit key, but we may use less */ 2045 unsigned char decrypted_master_key[32]; 2046 char encrypted_state[PROPERTY_VALUE_MAX]; 2047 int rc; 2048 2049 property_get("ro.crypto.state", encrypted_state, ""); 2050 if (strcmp(encrypted_state, "encrypted") ) { 2051 SLOGE("device not encrypted, aborting"); 2052 return -2; 2053 } 2054 2055 if (!master_key_saved) { 2056 SLOGE("encrypted fs not yet mounted, aborting"); 2057 return -1; 2058 } 2059 2060 if (!saved_mount_point) { 2061 SLOGE("encrypted fs failed to save mount point, aborting"); 2062 return -1; 2063 } 2064 2065 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2066 SLOGE("Error getting crypt footer and key\n"); 2067 return -1; 2068 } 2069 2070 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 2071 /* If the device has no password, then just say the password is valid */ 2072 rc = 0; 2073 } else { 2074 char* adjusted_passwd = adjust_passwd(passwd); 2075 if (adjusted_passwd) { 2076 passwd = adjusted_passwd; 2077 } 2078 2079 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2080 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 2081 /* They match, the password is correct */ 2082 rc = 0; 2083 } else { 2084 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 2085 sleep(1); 2086 rc = 1; 2087 } 2088 2089 free(adjusted_passwd); 2090 } 2091 2092 return rc; 2093} 2094 2095/* Initialize a crypt_mnt_ftr structure. The keysize is 2096 * defaulted to 16 bytes, and the filesystem size to 0. 2097 * Presumably, at a minimum, the caller will update the 2098 * filesystem size and crypto_type_name after calling this function. 2099 */ 2100static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 2101{ 2102 off64_t off; 2103 2104 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 2105 ftr->magic = CRYPT_MNT_MAGIC; 2106 ftr->major_version = CURRENT_MAJOR_VERSION; 2107 ftr->minor_version = CURRENT_MINOR_VERSION; 2108 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 2109 ftr->keysize = KEY_LEN_BYTES; 2110 2111 switch (keymaster_check_compatibility()) { 2112 case 1: 2113 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2114 break; 2115 2116 case 0: 2117 ftr->kdf_type = KDF_SCRYPT; 2118 break; 2119 2120 default: 2121 SLOGE("keymaster_check_compatibility failed"); 2122 return -1; 2123 } 2124 2125 get_device_scrypt_params(ftr); 2126 2127 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2128 if (get_crypt_ftr_info(NULL, &off) == 0) { 2129 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2130 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2131 ftr->persist_data_size; 2132 } 2133 2134 return 0; 2135} 2136 2137static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2138{ 2139 const char *args[10]; 2140 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2141 int num_args; 2142 int status; 2143 int tmp; 2144 int rc = -1; 2145 2146 if (type == EXT4_FS) { 2147 args[0] = "/system/bin/make_ext4fs"; 2148 args[1] = "-a"; 2149 args[2] = "/data"; 2150 args[3] = "-l"; 2151 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2152 args[4] = size_str; 2153 args[5] = crypto_blkdev; 2154 num_args = 6; 2155 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2156 args[0], args[1], args[2], args[3], args[4], args[5]); 2157 } else if (type == F2FS_FS) { 2158 args[0] = "/system/bin/mkfs.f2fs"; 2159 args[1] = "-t"; 2160 args[2] = "-d1"; 2161 args[3] = crypto_blkdev; 2162 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2163 args[4] = size_str; 2164 num_args = 5; 2165 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2166 args[0], args[1], args[2], args[3], args[4]); 2167 } else { 2168 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2169 return -1; 2170 } 2171 2172 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2173 2174 if (tmp != 0) { 2175 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2176 } else { 2177 if (WIFEXITED(status)) { 2178 if (WEXITSTATUS(status)) { 2179 SLOGE("Error creating filesystem on %s, exit status %d ", 2180 crypto_blkdev, WEXITSTATUS(status)); 2181 } else { 2182 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2183 rc = 0; 2184 } 2185 } else { 2186 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2187 } 2188 } 2189 2190 return rc; 2191} 2192 2193#define CRYPT_INPLACE_BUFSIZE 4096 2194#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2195#define CRYPT_SECTOR_SIZE 512 2196 2197/* aligned 32K writes tends to make flash happy. 2198 * SD card association recommends it. 2199 */ 2200#ifndef CONFIG_HW_DISK_ENCRYPTION 2201#define BLOCKS_AT_A_TIME 8 2202#else 2203#define BLOCKS_AT_A_TIME 1024 2204#endif 2205 2206struct encryptGroupsData 2207{ 2208 int realfd; 2209 int cryptofd; 2210 off64_t numblocks; 2211 off64_t one_pct, cur_pct, new_pct; 2212 off64_t blocks_already_done, tot_numblocks; 2213 off64_t used_blocks_already_done, tot_used_blocks; 2214 char* real_blkdev, * crypto_blkdev; 2215 int count; 2216 off64_t offset; 2217 char* buffer; 2218 off64_t last_written_sector; 2219 int completed; 2220 time_t time_started; 2221 int remaining_time; 2222}; 2223 2224static void update_progress(struct encryptGroupsData* data, int is_used) 2225{ 2226 data->blocks_already_done++; 2227 2228 if (is_used) { 2229 data->used_blocks_already_done++; 2230 } 2231 if (data->tot_used_blocks) { 2232 data->new_pct = data->used_blocks_already_done / data->one_pct; 2233 } else { 2234 data->new_pct = data->blocks_already_done / data->one_pct; 2235 } 2236 2237 if (data->new_pct > data->cur_pct) { 2238 char buf[8]; 2239 data->cur_pct = data->new_pct; 2240 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2241 property_set("vold.encrypt_progress", buf); 2242 } 2243 2244 if (data->cur_pct >= 5) { 2245 struct timespec time_now; 2246 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) { 2247 SLOGW("Error getting time"); 2248 } else { 2249 double elapsed_time = difftime(time_now.tv_sec, data->time_started); 2250 off64_t remaining_blocks = data->tot_used_blocks 2251 - data->used_blocks_already_done; 2252 int remaining_time = (int)(elapsed_time * remaining_blocks 2253 / data->used_blocks_already_done); 2254 2255 // Change time only if not yet set, lower, or a lot higher for 2256 // best user experience 2257 if (data->remaining_time == -1 2258 || remaining_time < data->remaining_time 2259 || remaining_time > data->remaining_time + 60) { 2260 char buf[8]; 2261 snprintf(buf, sizeof(buf), "%d", remaining_time); 2262 property_set("vold.encrypt_time_remaining", buf); 2263 data->remaining_time = remaining_time; 2264 } 2265 } 2266 } 2267} 2268 2269static void log_progress(struct encryptGroupsData const* data, bool completed) 2270{ 2271 // Precondition - if completed data = 0 else data != 0 2272 2273 // Track progress so we can skip logging blocks 2274 static off64_t offset = -1; 2275 2276 // Need to close existing 'Encrypting from' log? 2277 if (completed || (offset != -1 && data->offset != offset)) { 2278 SLOGI("Encrypted to sector %" PRId64, 2279 offset / info.block_size * CRYPT_SECTOR_SIZE); 2280 offset = -1; 2281 } 2282 2283 // Need to start new 'Encrypting from' log? 2284 if (!completed && offset != data->offset) { 2285 SLOGI("Encrypting from sector %" PRId64, 2286 data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2287 } 2288 2289 // Update offset 2290 if (!completed) { 2291 offset = data->offset + (off64_t)data->count * info.block_size; 2292 } 2293} 2294 2295static int flush_outstanding_data(struct encryptGroupsData* data) 2296{ 2297 if (data->count == 0) { 2298 return 0; 2299 } 2300 2301 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2302 2303 if (pread64(data->realfd, data->buffer, 2304 info.block_size * data->count, data->offset) 2305 <= 0) { 2306 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2307 data->real_blkdev); 2308 return -1; 2309 } 2310 2311 if (pwrite64(data->cryptofd, data->buffer, 2312 info.block_size * data->count, data->offset) 2313 <= 0) { 2314 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2315 data->crypto_blkdev); 2316 return -1; 2317 } else { 2318 log_progress(data, false); 2319 } 2320 2321 data->count = 0; 2322 data->last_written_sector = (data->offset + data->count) 2323 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2324 return 0; 2325} 2326 2327static int encrypt_groups(struct encryptGroupsData* data) 2328{ 2329 unsigned int i; 2330 u8 *block_bitmap = 0; 2331 unsigned int block; 2332 off64_t ret; 2333 int rc = -1; 2334 2335 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2336 if (!data->buffer) { 2337 SLOGE("Failed to allocate crypto buffer"); 2338 goto errout; 2339 } 2340 2341 block_bitmap = malloc(info.block_size); 2342 if (!block_bitmap) { 2343 SLOGE("failed to allocate block bitmap"); 2344 goto errout; 2345 } 2346 2347 for (i = 0; i < aux_info.groups; ++i) { 2348 SLOGI("Encrypting group %d", i); 2349 2350 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2351 u32 block_count = min(info.blocks_per_group, 2352 aux_info.len_blocks - first_block); 2353 2354 off64_t offset = (u64)info.block_size 2355 * aux_info.bg_desc[i].bg_block_bitmap; 2356 2357 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2358 if (ret != (int)info.block_size) { 2359 SLOGE("failed to read all of block group bitmap %d", i); 2360 goto errout; 2361 } 2362 2363 offset = (u64)info.block_size * first_block; 2364 2365 data->count = 0; 2366 2367 for (block = 0; block < block_count; block++) { 2368 int used = bitmap_get_bit(block_bitmap, block); 2369 update_progress(data, used); 2370 if (used) { 2371 if (data->count == 0) { 2372 data->offset = offset; 2373 } 2374 data->count++; 2375 } else { 2376 if (flush_outstanding_data(data)) { 2377 goto errout; 2378 } 2379 } 2380 2381 offset += info.block_size; 2382 2383 /* Write data if we are aligned or buffer size reached */ 2384 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2385 || data->count == BLOCKS_AT_A_TIME) { 2386 if (flush_outstanding_data(data)) { 2387 goto errout; 2388 } 2389 } 2390 2391 if (!is_battery_ok_to_continue()) { 2392 SLOGE("Stopping encryption due to low battery"); 2393 rc = 0; 2394 goto errout; 2395 } 2396 2397 } 2398 if (flush_outstanding_data(data)) { 2399 goto errout; 2400 } 2401 } 2402 2403 data->completed = 1; 2404 rc = 0; 2405 2406errout: 2407 log_progress(0, true); 2408 free(data->buffer); 2409 free(block_bitmap); 2410 return rc; 2411} 2412 2413static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2414 char *real_blkdev, 2415 off64_t size, 2416 off64_t *size_already_done, 2417 off64_t tot_size, 2418 off64_t previously_encrypted_upto) 2419{ 2420 u32 i; 2421 struct encryptGroupsData data; 2422 int rc; // Can't initialize without causing warning -Wclobbered 2423 2424 if (previously_encrypted_upto > *size_already_done) { 2425 SLOGD("Not fast encrypting since resuming part way through"); 2426 return -1; 2427 } 2428 2429 memset(&data, 0, sizeof(data)); 2430 data.real_blkdev = real_blkdev; 2431 data.crypto_blkdev = crypto_blkdev; 2432 2433 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) { 2434 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n", 2435 real_blkdev, errno, strerror(errno)); 2436 rc = -1; 2437 goto errout; 2438 } 2439 2440 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2441 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n", 2442 crypto_blkdev, errno, strerror(errno)); 2443 rc = ENABLE_INPLACE_ERR_DEV; 2444 goto errout; 2445 } 2446 2447 if (setjmp(setjmp_env)) { 2448 SLOGE("Reading ext4 extent caused an exception\n"); 2449 rc = -1; 2450 goto errout; 2451 } 2452 2453 if (read_ext(data.realfd, 0) != 0) { 2454 SLOGE("Failed to read ext4 extent\n"); 2455 rc = -1; 2456 goto errout; 2457 } 2458 2459 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2460 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2461 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2462 2463 SLOGI("Encrypting ext4 filesystem in place..."); 2464 2465 data.tot_used_blocks = data.numblocks; 2466 for (i = 0; i < aux_info.groups; ++i) { 2467 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2468 } 2469 2470 data.one_pct = data.tot_used_blocks / 100; 2471 data.cur_pct = 0; 2472 2473 struct timespec time_started = {0}; 2474 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) { 2475 SLOGW("Error getting time at start"); 2476 // Note - continue anyway - we'll run with 0 2477 } 2478 data.time_started = time_started.tv_sec; 2479 data.remaining_time = -1; 2480 2481 rc = encrypt_groups(&data); 2482 if (rc) { 2483 SLOGE("Error encrypting groups"); 2484 goto errout; 2485 } 2486 2487 *size_already_done += data.completed ? size : data.last_written_sector; 2488 rc = 0; 2489 2490errout: 2491 close(data.realfd); 2492 close(data.cryptofd); 2493 2494 return rc; 2495} 2496 2497static void log_progress_f2fs(u64 block, bool completed) 2498{ 2499 // Precondition - if completed data = 0 else data != 0 2500 2501 // Track progress so we can skip logging blocks 2502 static u64 last_block = (u64)-1; 2503 2504 // Need to close existing 'Encrypting from' log? 2505 if (completed || (last_block != (u64)-1 && block != last_block + 1)) { 2506 SLOGI("Encrypted to block %" PRId64, last_block); 2507 last_block = -1; 2508 } 2509 2510 // Need to start new 'Encrypting from' log? 2511 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) { 2512 SLOGI("Encrypting from block %" PRId64, block); 2513 } 2514 2515 // Update offset 2516 if (!completed) { 2517 last_block = block; 2518 } 2519} 2520 2521static int encrypt_one_block_f2fs(u64 pos, void *data) 2522{ 2523 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2524 2525 priv_dat->blocks_already_done = pos - 1; 2526 update_progress(priv_dat, 1); 2527 2528 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2529 2530 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2531 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2532 return -1; 2533 } 2534 2535 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2536 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2537 return -1; 2538 } else { 2539 log_progress_f2fs(pos, false); 2540 } 2541 2542 return 0; 2543} 2544 2545static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2546 char *real_blkdev, 2547 off64_t size, 2548 off64_t *size_already_done, 2549 off64_t tot_size, 2550 off64_t previously_encrypted_upto) 2551{ 2552 struct encryptGroupsData data; 2553 struct f2fs_info *f2fs_info = NULL; 2554 int rc = ENABLE_INPLACE_ERR_OTHER; 2555 if (previously_encrypted_upto > *size_already_done) { 2556 SLOGD("Not fast encrypting since resuming part way through"); 2557 return ENABLE_INPLACE_ERR_OTHER; 2558 } 2559 memset(&data, 0, sizeof(data)); 2560 data.real_blkdev = real_blkdev; 2561 data.crypto_blkdev = crypto_blkdev; 2562 data.realfd = -1; 2563 data.cryptofd = -1; 2564 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) { 2565 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n", 2566 real_blkdev); 2567 goto errout; 2568 } 2569 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) { 2570 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n", 2571 crypto_blkdev, errno, strerror(errno)); 2572 rc = ENABLE_INPLACE_ERR_DEV; 2573 goto errout; 2574 } 2575 2576 f2fs_info = generate_f2fs_info(data.realfd); 2577 if (!f2fs_info) 2578 goto errout; 2579 2580 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2581 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2582 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2583 2584 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2585 2586 data.one_pct = data.tot_used_blocks / 100; 2587 data.cur_pct = 0; 2588 data.time_started = time(NULL); 2589 data.remaining_time = -1; 2590 2591 data.buffer = malloc(f2fs_info->block_size); 2592 if (!data.buffer) { 2593 SLOGE("Failed to allocate crypto buffer"); 2594 goto errout; 2595 } 2596 2597 data.count = 0; 2598 2599 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2600 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2601 2602 if (rc) { 2603 SLOGE("Error in running over f2fs blocks"); 2604 rc = ENABLE_INPLACE_ERR_OTHER; 2605 goto errout; 2606 } 2607 2608 *size_already_done += size; 2609 rc = 0; 2610 2611errout: 2612 if (rc) 2613 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2614 2615 log_progress_f2fs(0, true); 2616 free(f2fs_info); 2617 free(data.buffer); 2618 close(data.realfd); 2619 close(data.cryptofd); 2620 2621 return rc; 2622} 2623 2624static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2625 off64_t size, off64_t *size_already_done, 2626 off64_t tot_size, 2627 off64_t previously_encrypted_upto) 2628{ 2629 int realfd, cryptofd; 2630 char *buf[CRYPT_INPLACE_BUFSIZE]; 2631 int rc = ENABLE_INPLACE_ERR_OTHER; 2632 off64_t numblocks, i, remainder; 2633 off64_t one_pct, cur_pct, new_pct; 2634 off64_t blocks_already_done, tot_numblocks; 2635 2636 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) { 2637 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2638 return ENABLE_INPLACE_ERR_OTHER; 2639 } 2640 2641 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2642 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n", 2643 crypto_blkdev, errno, strerror(errno)); 2644 close(realfd); 2645 return ENABLE_INPLACE_ERR_DEV; 2646 } 2647 2648 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2649 * The size passed in is the number of 512 byte sectors in the filesystem. 2650 * So compute the number of whole 4K blocks we should read/write, 2651 * and the remainder. 2652 */ 2653 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2654 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2655 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2656 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2657 2658 SLOGE("Encrypting filesystem in place..."); 2659 2660 i = previously_encrypted_upto + 1 - *size_already_done; 2661 2662 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2663 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2664 goto errout; 2665 } 2666 2667 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2668 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2669 goto errout; 2670 } 2671 2672 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2673 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2674 SLOGE("Error reading initial sectors from real_blkdev %s for " 2675 "inplace encrypt\n", crypto_blkdev); 2676 goto errout; 2677 } 2678 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2679 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2680 "inplace encrypt\n", crypto_blkdev); 2681 goto errout; 2682 } else { 2683 SLOGI("Encrypted 1 block at %" PRId64, i); 2684 } 2685 } 2686 2687 one_pct = tot_numblocks / 100; 2688 cur_pct = 0; 2689 /* process the majority of the filesystem in blocks */ 2690 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2691 new_pct = (i + blocks_already_done) / one_pct; 2692 if (new_pct > cur_pct) { 2693 char buf[8]; 2694 2695 cur_pct = new_pct; 2696 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2697 property_set("vold.encrypt_progress", buf); 2698 } 2699 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2700 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2701 goto errout; 2702 } 2703 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2704 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2705 goto errout; 2706 } else { 2707 SLOGD("Encrypted %d block at %" PRId64, 2708 CRYPT_SECTORS_PER_BUFSIZE, 2709 i * CRYPT_SECTORS_PER_BUFSIZE); 2710 } 2711 2712 if (!is_battery_ok_to_continue()) { 2713 SLOGE("Stopping encryption due to low battery"); 2714 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2715 rc = 0; 2716 goto errout; 2717 } 2718 } 2719 2720 /* Do any remaining sectors */ 2721 for (i=0; i<remainder; i++) { 2722 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2723 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2724 goto errout; 2725 } 2726 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2727 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2728 goto errout; 2729 } else { 2730 SLOGI("Encrypted 1 block at next location"); 2731 } 2732 } 2733 2734 *size_already_done += size; 2735 rc = 0; 2736 2737errout: 2738 close(realfd); 2739 close(cryptofd); 2740 2741 return rc; 2742} 2743 2744/* returns on of the ENABLE_INPLACE_* return codes */ 2745static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2746 off64_t size, off64_t *size_already_done, 2747 off64_t tot_size, 2748 off64_t previously_encrypted_upto) 2749{ 2750 int rc_ext4, rc_f2fs, rc_full; 2751 if (previously_encrypted_upto) { 2752 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2753 } 2754 2755 if (*size_already_done + size < previously_encrypted_upto) { 2756 *size_already_done += size; 2757 return 0; 2758 } 2759 2760 /* TODO: identify filesystem type. 2761 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2762 * then we will drop down to cryptfs_enable_inplace_f2fs. 2763 * */ 2764 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2765 size, size_already_done, 2766 tot_size, previously_encrypted_upto)) == 0) { 2767 return 0; 2768 } 2769 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4); 2770 2771 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2772 size, size_already_done, 2773 tot_size, previously_encrypted_upto)) == 0) { 2774 return 0; 2775 } 2776 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs); 2777 2778 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2779 size, size_already_done, tot_size, 2780 previously_encrypted_upto); 2781 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full); 2782 2783 /* Hack for b/17898962, the following is the symptom... */ 2784 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV 2785 && rc_f2fs == ENABLE_INPLACE_ERR_DEV 2786 && rc_full == ENABLE_INPLACE_ERR_DEV) { 2787 return ENABLE_INPLACE_ERR_DEV; 2788 } 2789 return rc_full; 2790} 2791 2792#define CRYPTO_ENABLE_WIPE 1 2793#define CRYPTO_ENABLE_INPLACE 2 2794 2795#define FRAMEWORK_BOOT_WAIT 60 2796 2797static inline int should_encrypt(struct volume_info *volume) 2798{ 2799 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) == 2800 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE); 2801} 2802 2803static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2804{ 2805 int fd = open(filename, O_RDONLY); 2806 if (fd == -1) { 2807 SLOGE("Error opening file %s", filename); 2808 return -1; 2809 } 2810 2811 char block[CRYPT_INPLACE_BUFSIZE]; 2812 memset(block, 0, sizeof(block)); 2813 if (unix_read(fd, block, sizeof(block)) < 0) { 2814 SLOGE("Error reading file %s", filename); 2815 close(fd); 2816 return -1; 2817 } 2818 2819 close(fd); 2820 2821 SHA256_CTX c; 2822 SHA256_Init(&c); 2823 SHA256_Update(&c, block, sizeof(block)); 2824 SHA256_Final(buf, &c); 2825 2826 return 0; 2827} 2828 2829static int get_fs_type(struct fstab_rec *rec) 2830{ 2831 if (!strcmp(rec->fs_type, "ext4")) { 2832 return EXT4_FS; 2833 } else if (!strcmp(rec->fs_type, "f2fs")) { 2834 return F2FS_FS; 2835 } else { 2836 return -1; 2837 } 2838} 2839 2840static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2841 char *crypto_blkdev, char *real_blkdev, 2842 int previously_encrypted_upto) 2843{ 2844 off64_t cur_encryption_done=0, tot_encryption_size=0; 2845 int rc = -1; 2846 2847 if (!is_battery_ok_to_start()) { 2848 SLOGW("Not starting encryption due to low battery"); 2849 return 0; 2850 } 2851 2852 /* The size of the userdata partition, and add in the vold volumes below */ 2853 tot_encryption_size = crypt_ftr->fs_size; 2854 2855 if (how == CRYPTO_ENABLE_WIPE) { 2856 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2857 int fs_type = get_fs_type(rec); 2858 if (fs_type < 0) { 2859 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2860 return -1; 2861 } 2862 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2863 } else if (how == CRYPTO_ENABLE_INPLACE) { 2864 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2865 crypt_ftr->fs_size, &cur_encryption_done, 2866 tot_encryption_size, 2867 previously_encrypted_upto); 2868 2869 if (rc == ENABLE_INPLACE_ERR_DEV) { 2870 /* Hack for b/17898962 */ 2871 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2872 cryptfs_reboot(reboot); 2873 } 2874 2875 if (!rc) { 2876 crypt_ftr->encrypted_upto = cur_encryption_done; 2877 } 2878 2879 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2880 /* The inplace routine never actually sets the progress to 100% due 2881 * to the round down nature of integer division, so set it here */ 2882 property_set("vold.encrypt_progress", "100"); 2883 } 2884 } else { 2885 /* Shouldn't happen */ 2886 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2887 rc = -1; 2888 } 2889 2890 return rc; 2891} 2892 2893int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2894 int allow_reboot) 2895{ 2896 int how = 0; 2897 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2898 unsigned long nr_sec; 2899 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2900 int rc=-1, fd, i; 2901 struct crypt_mnt_ftr crypt_ftr; 2902 struct crypt_persist_data *pdata; 2903 char encrypted_state[PROPERTY_VALUE_MAX]; 2904 char lockid[32] = { 0 }; 2905 char key_loc[PROPERTY_VALUE_MAX]; 2906 char fuse_sdcard[PROPERTY_VALUE_MAX]; 2907 char *sd_mnt_point; 2908 int num_vols; 2909 struct volume_info *vol_list = 0; 2910 off64_t previously_encrypted_upto = 0; 2911 2912 if (!strcmp(howarg, "wipe")) { 2913 how = CRYPTO_ENABLE_WIPE; 2914 } else if (! strcmp(howarg, "inplace")) { 2915 how = CRYPTO_ENABLE_INPLACE; 2916 } else { 2917 /* Shouldn't happen, as CommandListener vets the args */ 2918 goto error_unencrypted; 2919 } 2920 2921 /* See if an encryption was underway and interrupted */ 2922 if (how == CRYPTO_ENABLE_INPLACE 2923 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2924 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2925 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2926 crypt_ftr.encrypted_upto = 0; 2927 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2928 2929 /* At this point, we are in an inconsistent state. Until we successfully 2930 complete encryption, a reboot will leave us broken. So mark the 2931 encryption failed in case that happens. 2932 On successfully completing encryption, remove this flag */ 2933 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2934 2935 put_crypt_ftr_and_key(&crypt_ftr); 2936 } 2937 2938 property_get("ro.crypto.state", encrypted_state, ""); 2939 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2940 SLOGE("Device is already running encrypted, aborting"); 2941 goto error_unencrypted; 2942 } 2943 2944 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2945 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2946 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2947 2948 /* Get the size of the real block device */ 2949 fd = open(real_blkdev, O_RDONLY); 2950 if ( (nr_sec = get_blkdev_size(fd)) == 0) { 2951 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2952 goto error_unencrypted; 2953 } 2954 close(fd); 2955 2956 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2957 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2958 unsigned int fs_size_sec, max_fs_size_sec; 2959 fs_size_sec = get_fs_size(real_blkdev); 2960 if (fs_size_sec == 0) 2961 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2962 2963 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2964 2965 if (fs_size_sec > max_fs_size_sec) { 2966 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2967 goto error_unencrypted; 2968 } 2969 } 2970 2971 /* Get a wakelock as this may take a while, and we don't want the 2972 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2973 * wants to keep the screen on, it can grab a full wakelock. 2974 */ 2975 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2976 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2977 2978 /* Get the sdcard mount point */ 2979 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE"); 2980 if (!sd_mnt_point) { 2981 sd_mnt_point = getenv("EXTERNAL_STORAGE"); 2982 } 2983 if (!sd_mnt_point) { 2984 sd_mnt_point = "/mnt/sdcard"; 2985 } 2986 2987 /* TODO 2988 * Currently do not have test devices with multiple encryptable volumes. 2989 * When we acquire some, re-add support. 2990 */ 2991 num_vols=vold_getNumDirectVolumes(); 2992 vol_list = malloc(sizeof(struct volume_info) * num_vols); 2993 vold_getDirectVolumeList(vol_list); 2994 2995 for (i=0; i<num_vols; i++) { 2996 if (should_encrypt(&vol_list[i])) { 2997 SLOGE("Cannot encrypt if there are multiple encryptable volumes" 2998 "%s\n", vol_list[i].label); 2999 goto error_unencrypted; 3000 } 3001 } 3002 3003 /* The init files are setup to stop the class main and late start when 3004 * vold sets trigger_shutdown_framework. 3005 */ 3006 property_set("vold.decrypt", "trigger_shutdown_framework"); 3007 SLOGD("Just asked init to shut down class main\n"); 3008 3009 if (vold_unmountAllAsecs()) { 3010 /* Just report the error. If any are left mounted, 3011 * umounting /data below will fail and handle the error. 3012 */ 3013 SLOGE("Error unmounting internal asecs"); 3014 } 3015 3016 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, ""); 3017 if (!strcmp(fuse_sdcard, "true")) { 3018 /* This is a device using the fuse layer to emulate the sdcard semantics 3019 * on top of the userdata partition. vold does not manage it, it is managed 3020 * by the sdcard service. The sdcard service was killed by the property trigger 3021 * above, so just unmount it now. We must do this _AFTER_ killing the framework, 3022 * unlike the case for vold managed devices above. 3023 */ 3024 if (wait_and_unmount(sd_mnt_point, false)) { 3025 goto error_shutting_down; 3026 } 3027 } 3028 3029 /* Now unmount the /data partition. */ 3030 if (wait_and_unmount(DATA_MNT_POINT, false)) { 3031 if (allow_reboot) { 3032 goto error_shutting_down; 3033 } else { 3034 goto error_unencrypted; 3035 } 3036 } 3037 3038 /* Do extra work for a better UX when doing the long inplace encryption */ 3039 if (how == CRYPTO_ENABLE_INPLACE) { 3040 /* Now that /data is unmounted, we need to mount a tmpfs 3041 * /data, set a property saying we're doing inplace encryption, 3042 * and restart the framework. 3043 */ 3044 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 3045 goto error_shutting_down; 3046 } 3047 /* Tells the framework that inplace encryption is starting */ 3048 property_set("vold.encrypt_progress", "0"); 3049 3050 /* restart the framework. */ 3051 /* Create necessary paths on /data */ 3052 if (prep_data_fs()) { 3053 goto error_shutting_down; 3054 } 3055 3056 /* Ugh, shutting down the framework is not synchronous, so until it 3057 * can be fixed, this horrible hack will wait a moment for it all to 3058 * shut down before proceeding. Without it, some devices cannot 3059 * restart the graphics services. 3060 */ 3061 sleep(2); 3062 } 3063 3064 /* Start the actual work of making an encrypted filesystem */ 3065 /* Initialize a crypt_mnt_ftr for the partition */ 3066 if (previously_encrypted_upto == 0) { 3067 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 3068 goto error_shutting_down; 3069 } 3070 3071 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 3072 crypt_ftr.fs_size = nr_sec 3073 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3074 } else { 3075 crypt_ftr.fs_size = nr_sec; 3076 } 3077 /* At this point, we are in an inconsistent state. Until we successfully 3078 complete encryption, a reboot will leave us broken. So mark the 3079 encryption failed in case that happens. 3080 On successfully completing encryption, remove this flag */ 3081 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 3082 crypt_ftr.crypt_type = crypt_type; 3083#ifndef CONFIG_HW_DISK_ENCRYPTION 3084 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN); 3085#else 3086 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN); 3087 3088 rc = clear_hw_device_encryption_key(); 3089 if (!rc) { 3090 SLOGE("Error clearing device encryption hardware key. rc = %d", rc); 3091 } 3092 3093 rc = set_hw_device_encryption_key(passwd, 3094 (char*) crypt_ftr.crypto_type_name); 3095 if (!rc) { 3096 SLOGE("Error initializing device encryption hardware key. rc = %d", rc); 3097 goto error_shutting_down; 3098 } 3099#endif 3100 3101 /* Make an encrypted master key */ 3102 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 3103 SLOGE("Cannot create encrypted master key\n"); 3104 goto error_shutting_down; 3105 } 3106 3107 /* Write the key to the end of the partition */ 3108 put_crypt_ftr_and_key(&crypt_ftr); 3109 3110 /* If any persistent data has been remembered, save it. 3111 * If none, create a valid empty table and save that. 3112 */ 3113 if (!persist_data) { 3114 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 3115 if (pdata) { 3116 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 3117 persist_data = pdata; 3118 } 3119 } 3120 if (persist_data) { 3121 save_persistent_data(); 3122 } 3123 } 3124 3125 if (how == CRYPTO_ENABLE_INPLACE) { 3126 /* startup service classes main and late_start */ 3127 property_set("vold.decrypt", "trigger_restart_min_framework"); 3128 SLOGD("Just triggered restart_min_framework\n"); 3129 3130 /* OK, the framework is restarted and will soon be showing a 3131 * progress bar. Time to setup an encrypted mapping, and 3132 * either write a new filesystem, or encrypt in place updating 3133 * the progress bar as we work. 3134 */ 3135 } 3136 3137 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 3138 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 3139 "userdata"); 3140 3141 /* If we are continuing, check checksums match */ 3142 rc = 0; 3143 if (previously_encrypted_upto) { 3144 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 3145 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 3146 3147 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 3148 sizeof(hash_first_block)) != 0) { 3149 SLOGE("Checksums do not match - trigger wipe"); 3150 rc = -1; 3151 } 3152 } 3153 3154 if (!rc) { 3155 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 3156 crypto_blkdev, real_blkdev, 3157 previously_encrypted_upto); 3158 } 3159 3160 /* Calculate checksum if we are not finished */ 3161 if (!rc && how == CRYPTO_ENABLE_INPLACE 3162 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3163 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 3164 crypt_ftr.hash_first_block); 3165 if (rc) { 3166 SLOGE("Error calculating checksum for continuing encryption"); 3167 rc = -1; 3168 } 3169 } 3170 3171 /* Undo the dm-crypt mapping whether we succeed or not */ 3172 delete_crypto_blk_dev("userdata"); 3173 3174 free(vol_list); 3175 3176 if (! rc) { 3177 /* Success */ 3178 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 3179 3180 if (how == CRYPTO_ENABLE_INPLACE 3181 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3182 SLOGD("Encrypted up to sector %lld - will continue after reboot", 3183 crypt_ftr.encrypted_upto); 3184 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 3185 } 3186 3187 put_crypt_ftr_and_key(&crypt_ftr); 3188 3189 if (how == CRYPTO_ENABLE_WIPE 3190 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 3191 char value[PROPERTY_VALUE_MAX]; 3192 property_get("ro.crypto.state", value, ""); 3193 if (!strcmp(value, "")) { 3194 /* default encryption - continue first boot sequence */ 3195 property_set("ro.crypto.state", "encrypted"); 3196 release_wake_lock(lockid); 3197 cryptfs_check_passwd(DEFAULT_PASSWORD); 3198 cryptfs_restart_internal(1); 3199 return 0; 3200 } else { 3201 sleep(2); /* Give the UI a chance to show 100% progress */ 3202 cryptfs_reboot(reboot); 3203 } 3204 } else { 3205 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 3206 cryptfs_reboot(shutdown); 3207 } 3208 } else { 3209 char value[PROPERTY_VALUE_MAX]; 3210 3211 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 3212 if (!strcmp(value, "1")) { 3213 /* wipe data if encryption failed */ 3214 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 3215 mkdir("/cache/recovery", 0700); 3216 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600); 3217 if (fd >= 0) { 3218 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1); 3219 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1); 3220 close(fd); 3221 } else { 3222 SLOGE("could not open /cache/recovery/command\n"); 3223 } 3224 cryptfs_reboot(recovery); 3225 } else { 3226 /* set property to trigger dialog */ 3227 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3228 release_wake_lock(lockid); 3229 } 3230 return -1; 3231 } 3232 3233 /* hrm, the encrypt step claims success, but the reboot failed. 3234 * This should not happen. 3235 * Set the property and return. Hope the framework can deal with it. 3236 */ 3237 property_set("vold.encrypt_progress", "error_reboot_failed"); 3238 release_wake_lock(lockid); 3239 return rc; 3240 3241error_unencrypted: 3242 free(vol_list); 3243 property_set("vold.encrypt_progress", "error_not_encrypted"); 3244 if (lockid[0]) { 3245 release_wake_lock(lockid); 3246 } 3247 return -1; 3248 3249error_shutting_down: 3250 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3251 * but the framework is stopped and not restarted to show the error, so it's up to 3252 * vold to restart the system. 3253 */ 3254 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3255 cryptfs_reboot(reboot); 3256 3257 /* shouldn't get here */ 3258 property_set("vold.encrypt_progress", "error_shutting_down"); 3259 free(vol_list); 3260 if (lockid[0]) { 3261 release_wake_lock(lockid); 3262 } 3263 return -1; 3264} 3265 3266int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 3267{ 3268 char* adjusted_passwd = adjust_passwd(passwd); 3269 if (adjusted_passwd) { 3270 passwd = adjusted_passwd; 3271 } 3272 3273 int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 3274 3275 free(adjusted_passwd); 3276 return rc; 3277} 3278 3279int cryptfs_enable_default(char *howarg, int allow_reboot) 3280{ 3281 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3282 DEFAULT_PASSWORD, allow_reboot); 3283} 3284 3285int cryptfs_changepw(int crypt_type, const char *newpw) 3286{ 3287 struct crypt_mnt_ftr crypt_ftr; 3288 int rc; 3289 3290 /* This is only allowed after we've successfully decrypted the master key */ 3291 if (!master_key_saved) { 3292 SLOGE("Key not saved, aborting"); 3293 return -1; 3294 } 3295 3296 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3297 SLOGE("Invalid crypt_type %d", crypt_type); 3298 return -1; 3299 } 3300 3301 /* get key */ 3302 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3303 SLOGE("Error getting crypt footer and key"); 3304 return -1; 3305 } 3306 3307 crypt_ftr.crypt_type = crypt_type; 3308 3309 char* adjusted_passwd = adjust_passwd(newpw); 3310 if (adjusted_passwd) { 3311 newpw = adjusted_passwd; 3312 } 3313 3314 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3315 : newpw, 3316 crypt_ftr.salt, 3317 saved_master_key, 3318 crypt_ftr.master_key, 3319 &crypt_ftr); 3320 free(adjusted_passwd); 3321 if (rc) { 3322 SLOGE("Encrypt master key failed: %d", rc); 3323 return -1; 3324 } 3325 /* save the key */ 3326 put_crypt_ftr_and_key(&crypt_ftr); 3327 3328#ifdef CONFIG_HW_DISK_ENCRYPTION 3329 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) { 3330 if (crypt_type == CRYPT_TYPE_DEFAULT) { 3331 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name); 3332 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc); 3333 if (!rc) 3334 return -1; 3335 } else { 3336 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name); 3337 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc); 3338 if (!rc) 3339 return -1; 3340 } 3341 } 3342#endif 3343 return 0; 3344} 3345 3346static unsigned int persist_get_max_entries(int encrypted) { 3347 struct crypt_mnt_ftr crypt_ftr; 3348 unsigned int dsize; 3349 unsigned int max_persistent_entries; 3350 3351 /* If encrypted, use the values from the crypt_ftr, otherwise 3352 * use the values for the current spec. 3353 */ 3354 if (encrypted) { 3355 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3356 return -1; 3357 } 3358 dsize = crypt_ftr.persist_data_size; 3359 } else { 3360 dsize = CRYPT_PERSIST_DATA_SIZE; 3361 } 3362 3363 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3364 sizeof(struct crypt_persist_entry); 3365 3366 return max_persistent_entries; 3367} 3368 3369static int persist_get_key(const char *fieldname, char *value) 3370{ 3371 unsigned int i; 3372 3373 if (persist_data == NULL) { 3374 return -1; 3375 } 3376 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3377 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3378 /* We found it! */ 3379 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3380 return 0; 3381 } 3382 } 3383 3384 return -1; 3385} 3386 3387static int persist_set_key(const char *fieldname, const char *value, int encrypted) 3388{ 3389 unsigned int i; 3390 unsigned int num; 3391 unsigned int max_persistent_entries; 3392 3393 if (persist_data == NULL) { 3394 return -1; 3395 } 3396 3397 max_persistent_entries = persist_get_max_entries(encrypted); 3398 3399 num = persist_data->persist_valid_entries; 3400 3401 for (i = 0; i < num; i++) { 3402 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3403 /* We found an existing entry, update it! */ 3404 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3405 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3406 return 0; 3407 } 3408 } 3409 3410 /* We didn't find it, add it to the end, if there is room */ 3411 if (persist_data->persist_valid_entries < max_persistent_entries) { 3412 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3413 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3414 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3415 persist_data->persist_valid_entries++; 3416 return 0; 3417 } 3418 3419 return -1; 3420} 3421 3422/** 3423 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the 3424 * sequence and its index is greater than or equal to index. Return 0 otherwise. 3425 */ 3426static int match_multi_entry(const char *key, const char *field, unsigned index) { 3427 unsigned int field_len; 3428 unsigned int key_index; 3429 field_len = strlen(field); 3430 3431 if (index == 0) { 3432 // The first key in a multi-entry field is just the filedname itself. 3433 if (!strcmp(key, field)) { 3434 return 1; 3435 } 3436 } 3437 // Match key against "%s_%d" % (field, index) 3438 if (strlen(key) < field_len + 1 + 1) { 3439 // Need at least a '_' and a digit. 3440 return 0; 3441 } 3442 if (strncmp(key, field, field_len)) { 3443 // If the key does not begin with field, it's not a match. 3444 return 0; 3445 } 3446 if (1 != sscanf(&key[field_len],"_%d", &key_index)) { 3447 return 0; 3448 } 3449 return key_index >= index; 3450} 3451 3452/* 3453 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all 3454 * remaining entries starting from index will be deleted. 3455 * returns PERSIST_DEL_KEY_OK if deletion succeeds, 3456 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist, 3457 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs. 3458 * 3459 */ 3460static int persist_del_keys(const char *fieldname, unsigned index) 3461{ 3462 unsigned int i; 3463 unsigned int j; 3464 unsigned int num; 3465 3466 if (persist_data == NULL) { 3467 return PERSIST_DEL_KEY_ERROR_OTHER; 3468 } 3469 3470 num = persist_data->persist_valid_entries; 3471 3472 j = 0; // points to the end of non-deleted entries. 3473 // Filter out to-be-deleted entries in place. 3474 for (i = 0; i < num; i++) { 3475 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) { 3476 persist_data->persist_entry[j] = persist_data->persist_entry[i]; 3477 j++; 3478 } 3479 } 3480 3481 if (j < num) { 3482 persist_data->persist_valid_entries = j; 3483 // Zeroise the remaining entries 3484 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry)); 3485 return PERSIST_DEL_KEY_OK; 3486 } else { 3487 // Did not find an entry matching the given fieldname 3488 return PERSIST_DEL_KEY_ERROR_NO_FIELD; 3489 } 3490} 3491 3492static int persist_count_keys(const char *fieldname) 3493{ 3494 unsigned int i; 3495 unsigned int count; 3496 3497 if (persist_data == NULL) { 3498 return -1; 3499 } 3500 3501 count = 0; 3502 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3503 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) { 3504 count++; 3505 } 3506 } 3507 3508 return count; 3509} 3510 3511/* Return the value of the specified field. */ 3512int cryptfs_getfield(const char *fieldname, char *value, int len) 3513{ 3514 char temp_value[PROPERTY_VALUE_MAX]; 3515 /* CRYPTO_GETFIELD_OK is success, 3516 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set, 3517 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small, 3518 * CRYPTO_GETFIELD_ERROR_OTHER is any other error 3519 */ 3520 int rc = CRYPTO_GETFIELD_ERROR_OTHER; 3521 int i; 3522 char temp_field[PROPERTY_KEY_MAX]; 3523 3524 if (persist_data == NULL) { 3525 load_persistent_data(); 3526 if (persist_data == NULL) { 3527 SLOGE("Getfield error, cannot load persistent data"); 3528 goto out; 3529 } 3530 } 3531 3532 // Read value from persistent entries. If the original value is split into multiple entries, 3533 // stitch them back together. 3534 if (!persist_get_key(fieldname, temp_value)) { 3535 // We found it, copy it to the caller's buffer and keep going until all entries are read. 3536 if (strlcpy(value, temp_value, len) >= (unsigned) len) { 3537 // value too small 3538 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3539 goto out; 3540 } 3541 rc = CRYPTO_GETFIELD_OK; 3542 3543 for (i = 1; /* break explicitly */; i++) { 3544 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >= 3545 (int) sizeof(temp_field)) { 3546 // If the fieldname is very long, we stop as soon as it begins to overflow the 3547 // maximum field length. At this point we have in fact fully read out the original 3548 // value because cryptfs_setfield would not allow fields with longer names to be 3549 // written in the first place. 3550 break; 3551 } 3552 if (!persist_get_key(temp_field, temp_value)) { 3553 if (strlcat(value, temp_value, len) >= (unsigned)len) { 3554 // value too small. 3555 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3556 goto out; 3557 } 3558 } else { 3559 // Exhaust all entries. 3560 break; 3561 } 3562 } 3563 } else { 3564 /* Sadness, it's not there. Return the error */ 3565 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD; 3566 } 3567 3568out: 3569 return rc; 3570} 3571 3572/* Set the value of the specified field. */ 3573int cryptfs_setfield(const char *fieldname, const char *value) 3574{ 3575 char encrypted_state[PROPERTY_VALUE_MAX]; 3576 /* 0 is success, negative values are error */ 3577 int rc = CRYPTO_SETFIELD_ERROR_OTHER; 3578 int encrypted = 0; 3579 unsigned int field_id; 3580 char temp_field[PROPERTY_KEY_MAX]; 3581 unsigned int num_entries; 3582 unsigned int max_keylen; 3583 3584 if (persist_data == NULL) { 3585 load_persistent_data(); 3586 if (persist_data == NULL) { 3587 SLOGE("Setfield error, cannot load persistent data"); 3588 goto out; 3589 } 3590 } 3591 3592 property_get("ro.crypto.state", encrypted_state, ""); 3593 if (!strcmp(encrypted_state, "encrypted") ) { 3594 encrypted = 1; 3595 } 3596 3597 // Compute the number of entries required to store value, each entry can store up to 3598 // (PROPERTY_VALUE_MAX - 1) chars 3599 if (strlen(value) == 0) { 3600 // Empty value also needs one entry to store. 3601 num_entries = 1; 3602 } else { 3603 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1); 3604 } 3605 3606 max_keylen = strlen(fieldname); 3607 if (num_entries > 1) { 3608 // Need an extra "_%d" suffix. 3609 max_keylen += 1 + log10(num_entries); 3610 } 3611 if (max_keylen > PROPERTY_KEY_MAX - 1) { 3612 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG; 3613 goto out; 3614 } 3615 3616 // Make sure we have enough space to write the new value 3617 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) > 3618 persist_get_max_entries(encrypted)) { 3619 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG; 3620 goto out; 3621 } 3622 3623 // Now that we know persist_data has enough space for value, let's delete the old field first 3624 // to make up space. 3625 persist_del_keys(fieldname, 0); 3626 3627 if (persist_set_key(fieldname, value, encrypted)) { 3628 // fail to set key, should not happen as we have already checked the available space 3629 SLOGE("persist_set_key() error during setfield()"); 3630 goto out; 3631 } 3632 3633 for (field_id = 1; field_id < num_entries; field_id++) { 3634 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id); 3635 3636 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) { 3637 // fail to set key, should not happen as we have already checked the available space. 3638 SLOGE("persist_set_key() error during setfield()"); 3639 goto out; 3640 } 3641 } 3642 3643 /* If we are running encrypted, save the persistent data now */ 3644 if (encrypted) { 3645 if (save_persistent_data()) { 3646 SLOGE("Setfield error, cannot save persistent data"); 3647 goto out; 3648 } 3649 } 3650 3651 rc = CRYPTO_SETFIELD_OK; 3652 3653out: 3654 return rc; 3655} 3656 3657/* Checks userdata. Attempt to mount the volume if default- 3658 * encrypted. 3659 * On success trigger next init phase and return 0. 3660 * Currently do not handle failure - see TODO below. 3661 */ 3662int cryptfs_mount_default_encrypted(void) 3663{ 3664 char decrypt_state[PROPERTY_VALUE_MAX]; 3665 property_get("vold.decrypt", decrypt_state, "0"); 3666 if (!strcmp(decrypt_state, "0")) { 3667 SLOGE("Not encrypted - should not call here"); 3668 } else { 3669 int crypt_type = cryptfs_get_password_type(); 3670 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3671 SLOGE("Bad crypt type - error"); 3672 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3673 SLOGD("Password is not default - " 3674 "starting min framework to prompt"); 3675 property_set("vold.decrypt", "trigger_restart_min_framework"); 3676 return 0; 3677 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3678 SLOGD("Password is default - restarting filesystem"); 3679 cryptfs_restart_internal(0); 3680 return 0; 3681 } else { 3682 SLOGE("Encrypted, default crypt type but can't decrypt"); 3683 } 3684 } 3685 3686 /** Corrupt. Allow us to boot into framework, which will detect bad 3687 crypto when it calls do_crypto_complete, then do a factory reset 3688 */ 3689 property_set("vold.decrypt", "trigger_restart_min_framework"); 3690 return 0; 3691} 3692 3693/* Returns type of the password, default, pattern, pin or password. 3694 */ 3695int cryptfs_get_password_type(void) 3696{ 3697 struct crypt_mnt_ftr crypt_ftr; 3698 3699 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3700 SLOGE("Error getting crypt footer and key\n"); 3701 return -1; 3702 } 3703 3704 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3705 return -1; 3706 } 3707 3708 return crypt_ftr.crypt_type; 3709} 3710 3711char* cryptfs_get_password() 3712{ 3713 struct timespec now; 3714 clock_gettime(CLOCK_BOOTTIME, &now); 3715 if (now.tv_sec < password_expiry_time) { 3716 return password; 3717 } else { 3718 cryptfs_clear_password(); 3719 return 0; 3720 } 3721} 3722 3723void cryptfs_clear_password() 3724{ 3725 if (password) { 3726 size_t len = strlen(password); 3727 memset(password, 0, len); 3728 free(password); 3729 password = 0; 3730 password_expiry_time = 0; 3731 } 3732} 3733