cryptfs.c revision 8e3f4510a88871a2d489ca4cdf7b738d4229053d
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <errno.h> 40#include <ext4.h> 41#include <linux/kdev_t.h> 42#include <fs_mgr.h> 43#include "cryptfs.h" 44#define LOG_TAG "Cryptfs" 45#include "cutils/log.h" 46#include "cutils/properties.h" 47#include "cutils/android_reboot.h" 48#include "hardware_legacy/power.h" 49#include <logwrap/logwrap.h> 50#include "VolumeManager.h" 51#include "VoldUtil.h" 52#include "crypto_scrypt.h" 53#include "ext4_utils.h" 54#include "f2fs_sparseblock.h" 55#include "CheckBattery.h" 56 57#include <hardware/keymaster.h> 58 59#define UNUSED __attribute__((unused)) 60 61#define UNUSED __attribute__((unused)) 62 63#define DM_CRYPT_BUF_SIZE 4096 64 65#define HASH_COUNT 2000 66#define KEY_LEN_BYTES 16 67#define IV_LEN_BYTES 16 68 69#define KEY_IN_FOOTER "footer" 70 71// "default_password" encoded into hex (d=0x64 etc) 72#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264" 73 74#define EXT4_FS 1 75#define F2FS_FS 2 76 77#define TABLE_LOAD_RETRIES 10 78 79#define RSA_KEY_SIZE 2048 80#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 81#define RSA_EXPONENT 0x10001 82 83#define RETRY_MOUNT_ATTEMPTS 10 84#define RETRY_MOUNT_DELAY_SECONDS 1 85 86char *me = "cryptfs"; 87 88static unsigned char saved_master_key[KEY_LEN_BYTES]; 89static char *saved_mount_point; 90static int master_key_saved = 0; 91static struct crypt_persist_data *persist_data = NULL; 92 93static int keymaster_init(keymaster_device_t **keymaster_dev) 94{ 95 int rc; 96 97 const hw_module_t* mod; 98 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 99 if (rc) { 100 ALOGE("could not find any keystore module"); 101 goto out; 102 } 103 104 rc = keymaster_open(mod, keymaster_dev); 105 if (rc) { 106 ALOGE("could not open keymaster device in %s (%s)", 107 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 108 goto out; 109 } 110 111 return 0; 112 113out: 114 *keymaster_dev = NULL; 115 return rc; 116} 117 118/* Should we use keymaster? */ 119static int keymaster_check_compatibility() 120{ 121 keymaster_device_t *keymaster_dev = 0; 122 int rc = 0; 123 124 if (keymaster_init(&keymaster_dev)) { 125 SLOGE("Failed to init keymaster"); 126 rc = -1; 127 goto out; 128 } 129 130 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version); 131 132 if (keymaster_dev->common.module->module_api_version 133 < KEYMASTER_MODULE_API_VERSION_0_3) { 134 rc = 0; 135 goto out; 136 } 137 138 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) { 139 rc = 1; 140 } 141 142out: 143 keymaster_close(keymaster_dev); 144 return rc; 145} 146 147/* Create a new keymaster key and store it in this footer */ 148static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 149{ 150 uint8_t* key = 0; 151 keymaster_device_t *keymaster_dev = 0; 152 153 if (keymaster_init(&keymaster_dev)) { 154 SLOGE("Failed to init keymaster"); 155 return -1; 156 } 157 158 int rc = 0; 159 160 keymaster_rsa_keygen_params_t params; 161 memset(¶ms, '\0', sizeof(params)); 162 params.public_exponent = RSA_EXPONENT; 163 params.modulus_size = RSA_KEY_SIZE; 164 165 size_t key_size; 166 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms, 167 &key, &key_size)) { 168 SLOGE("Failed to generate keypair"); 169 rc = -1; 170 goto out; 171 } 172 173 if (key_size > KEYMASTER_BLOB_SIZE) { 174 SLOGE("Keymaster key too large for crypto footer"); 175 rc = -1; 176 goto out; 177 } 178 179 memcpy(ftr->keymaster_blob, key, key_size); 180 ftr->keymaster_blob_size = key_size; 181 182out: 183 keymaster_close(keymaster_dev); 184 free(key); 185 return rc; 186} 187 188/* This signs the given object using the keymaster key. */ 189static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 190 const unsigned char *object, 191 const size_t object_size, 192 unsigned char **signature, 193 size_t *signature_size) 194{ 195 int rc = 0; 196 keymaster_device_t *keymaster_dev = 0; 197 if (keymaster_init(&keymaster_dev)) { 198 SLOGE("Failed to init keymaster"); 199 return -1; 200 } 201 202 /* We currently set the digest type to DIGEST_NONE because it's the 203 * only supported value for keymaster. A similar issue exists with 204 * PADDING_NONE. Long term both of these should likely change. 205 */ 206 keymaster_rsa_sign_params_t params; 207 params.digest_type = DIGEST_NONE; 208 params.padding_type = PADDING_NONE; 209 210 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 211 size_t to_sign_size = sizeof(to_sign); 212 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 213 214 // To sign a message with RSA, the message must satisfy two 215 // constraints: 216 // 217 // 1. The message, when interpreted as a big-endian numeric value, must 218 // be strictly less than the public modulus of the RSA key. Note 219 // that because the most significant bit of the public modulus is 220 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 221 // key), an n-bit message with most significant bit 0 always 222 // satisfies this requirement. 223 // 224 // 2. The message must have the same length in bits as the public 225 // modulus of the RSA key. This requirement isn't mathematically 226 // necessary, but is necessary to ensure consistency in 227 // implementations. 228 switch (ftr->kdf_type) { 229 case KDF_SCRYPT_KEYMASTER_UNPADDED: 230 // This is broken: It produces a message which is shorter than 231 // the public modulus, failing criterion 2. 232 memcpy(to_sign, object, object_size); 233 to_sign_size = object_size; 234 SLOGI("Signing unpadded object"); 235 break; 236 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 237 // This is broken: Since the value of object is uniformly 238 // distributed, it produces a message that is larger than the 239 // public modulus with probability 0.25. 240 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size)); 241 SLOGI("Signing end-padded object"); 242 break; 243 case KDF_SCRYPT_KEYMASTER: 244 // This ensures the most significant byte of the signed message 245 // is zero. We could have zero-padded to the left instead, but 246 // this approach is slightly more robust against changes in 247 // object size. However, it's still broken (but not unusably 248 // so) because we really should be using a proper RSA padding 249 // function, such as OAEP. 250 // 251 // TODO(paullawrence): When keymaster 0.4 is available, change 252 // this to use the padding options it provides. 253 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 254 SLOGI("Signing safely-padded object"); 255 break; 256 default: 257 SLOGE("Unknown KDF type %d", ftr->kdf_type); 258 return -1; 259 } 260 261 rc = keymaster_dev->sign_data(keymaster_dev, 262 ¶ms, 263 ftr->keymaster_blob, 264 ftr->keymaster_blob_size, 265 to_sign, 266 to_sign_size, 267 signature, 268 signature_size); 269 270 keymaster_close(keymaster_dev); 271 return rc; 272} 273 274/* Store password when userdata is successfully decrypted and mounted. 275 * Cleared by cryptfs_clear_password 276 * 277 * To avoid a double prompt at boot, we need to store the CryptKeeper 278 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 279 * Since the entire framework is torn down and rebuilt after encryption, 280 * we have to use a daemon or similar to store the password. Since vold 281 * is secured against IPC except from system processes, it seems a reasonable 282 * place to store this. 283 * 284 * password should be cleared once it has been used. 285 * 286 * password is aged out after password_max_age_seconds seconds. 287 */ 288static char* password = 0; 289static int password_expiry_time = 0; 290static const int password_max_age_seconds = 60; 291 292extern struct fstab *fstab; 293 294enum RebootType {reboot, recovery, shutdown}; 295static void cryptfs_reboot(enum RebootType rt) 296{ 297 switch(rt) { 298 case reboot: 299 property_set(ANDROID_RB_PROPERTY, "reboot"); 300 break; 301 302 case recovery: 303 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 304 break; 305 306 case shutdown: 307 property_set(ANDROID_RB_PROPERTY, "shutdown"); 308 break; 309 } 310 311 sleep(20); 312 313 /* Shouldn't get here, reboot should happen before sleep times out */ 314 return; 315} 316 317static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 318{ 319 memset(io, 0, dataSize); 320 io->data_size = dataSize; 321 io->data_start = sizeof(struct dm_ioctl); 322 io->version[0] = 4; 323 io->version[1] = 0; 324 io->version[2] = 0; 325 io->flags = flags; 326 if (name) { 327 strncpy(io->name, name, sizeof(io->name)); 328 } 329} 330 331/** 332 * Gets the default device scrypt parameters for key derivation time tuning. 333 * The parameters should lead to about one second derivation time for the 334 * given device. 335 */ 336static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 337 const int default_params[] = SCRYPT_DEFAULTS; 338 int params[] = SCRYPT_DEFAULTS; 339 char paramstr[PROPERTY_VALUE_MAX]; 340 char *token; 341 char *saveptr; 342 int i; 343 344 property_get(SCRYPT_PROP, paramstr, ""); 345 if (paramstr[0] != '\0') { 346 /* 347 * The token we're looking for should be three integers separated by 348 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 349 */ 350 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 351 token != NULL && i < 3; 352 i++, token = strtok_r(NULL, ":", &saveptr)) { 353 char *endptr; 354 params[i] = strtol(token, &endptr, 10); 355 356 /* 357 * Check that there was a valid number and it's 8-bit. If not, 358 * break out and the end check will take the default values. 359 */ 360 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 361 break; 362 } 363 } 364 365 /* 366 * If there were not enough tokens or a token was malformed (not an 367 * integer), it will end up here and the default parameters can be 368 * taken. 369 */ 370 if ((i != 3) || (token != NULL)) { 371 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 372 memcpy(params, default_params, sizeof(params)); 373 } 374 } 375 376 ftr->N_factor = params[0]; 377 ftr->r_factor = params[1]; 378 ftr->p_factor = params[2]; 379} 380 381static unsigned int get_fs_size(char *dev) 382{ 383 int fd, block_size; 384 struct ext4_super_block sb; 385 off64_t len; 386 387 if ((fd = open(dev, O_RDONLY)) < 0) { 388 SLOGE("Cannot open device to get filesystem size "); 389 return 0; 390 } 391 392 if (lseek64(fd, 1024, SEEK_SET) < 0) { 393 SLOGE("Cannot seek to superblock"); 394 return 0; 395 } 396 397 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 398 SLOGE("Cannot read superblock"); 399 return 0; 400 } 401 402 close(fd); 403 404 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 405 SLOGE("Not a valid ext4 superblock"); 406 return 0; 407 } 408 block_size = 1024 << sb.s_log_block_size; 409 /* compute length in bytes */ 410 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 411 412 /* return length in sectors */ 413 return (unsigned int) (len / 512); 414} 415 416static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 417{ 418 static int cached_data = 0; 419 static off64_t cached_off = 0; 420 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 421 int fd; 422 char key_loc[PROPERTY_VALUE_MAX]; 423 char real_blkdev[PROPERTY_VALUE_MAX]; 424 unsigned int nr_sec; 425 int rc = -1; 426 427 if (!cached_data) { 428 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 429 430 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 431 if ( (fd = open(real_blkdev, O_RDWR)) < 0) { 432 SLOGE("Cannot open real block device %s\n", real_blkdev); 433 return -1; 434 } 435 436 if ((nr_sec = get_blkdev_size(fd))) { 437 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 438 * encryption info footer and key, and plenty of bytes to spare for future 439 * growth. 440 */ 441 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 442 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 443 cached_data = 1; 444 } else { 445 SLOGE("Cannot get size of block device %s\n", real_blkdev); 446 } 447 close(fd); 448 } else { 449 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 450 cached_off = 0; 451 cached_data = 1; 452 } 453 } 454 455 if (cached_data) { 456 if (metadata_fname) { 457 *metadata_fname = cached_metadata_fname; 458 } 459 if (off) { 460 *off = cached_off; 461 } 462 rc = 0; 463 } 464 465 return rc; 466} 467 468/* key or salt can be NULL, in which case just skip writing that value. Useful to 469 * update the failed mount count but not change the key. 470 */ 471static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 472{ 473 int fd; 474 unsigned int nr_sec, cnt; 475 /* starting_off is set to the SEEK_SET offset 476 * where the crypto structure starts 477 */ 478 off64_t starting_off; 479 int rc = -1; 480 char *fname = NULL; 481 struct stat statbuf; 482 483 if (get_crypt_ftr_info(&fname, &starting_off)) { 484 SLOGE("Unable to get crypt_ftr_info\n"); 485 return -1; 486 } 487 if (fname[0] != '/') { 488 SLOGE("Unexpected value for crypto key location\n"); 489 return -1; 490 } 491 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) { 492 SLOGE("Cannot open footer file %s for put\n", fname); 493 return -1; 494 } 495 496 /* Seek to the start of the crypt footer */ 497 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 498 SLOGE("Cannot seek to real block device footer\n"); 499 goto errout; 500 } 501 502 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 503 SLOGE("Cannot write real block device footer\n"); 504 goto errout; 505 } 506 507 fstat(fd, &statbuf); 508 /* If the keys are kept on a raw block device, do not try to truncate it. */ 509 if (S_ISREG(statbuf.st_mode)) { 510 if (ftruncate(fd, 0x4000)) { 511 SLOGE("Cannot set footer file size\n"); 512 goto errout; 513 } 514 } 515 516 /* Success! */ 517 rc = 0; 518 519errout: 520 close(fd); 521 return rc; 522 523} 524 525static inline int unix_read(int fd, void* buff, int len) 526{ 527 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 528} 529 530static inline int unix_write(int fd, const void* buff, int len) 531{ 532 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 533} 534 535static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 536{ 537 memset(pdata, 0, len); 538 pdata->persist_magic = PERSIST_DATA_MAGIC; 539 pdata->persist_valid_entries = 0; 540} 541 542/* A routine to update the passed in crypt_ftr to the lastest version. 543 * fd is open read/write on the device that holds the crypto footer and persistent 544 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 545 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 546 */ 547static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 548{ 549 int orig_major = crypt_ftr->major_version; 550 int orig_minor = crypt_ftr->minor_version; 551 552 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 553 struct crypt_persist_data *pdata; 554 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 555 556 SLOGW("upgrading crypto footer to 1.1"); 557 558 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 559 if (pdata == NULL) { 560 SLOGE("Cannot allocate persisent data\n"); 561 return; 562 } 563 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 564 565 /* Need to initialize the persistent data area */ 566 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 567 SLOGE("Cannot seek to persisent data offset\n"); 568 return; 569 } 570 /* Write all zeros to the first copy, making it invalid */ 571 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 572 573 /* Write a valid but empty structure to the second copy */ 574 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 575 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 576 577 /* Update the footer */ 578 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 579 crypt_ftr->persist_data_offset[0] = pdata_offset; 580 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 581 crypt_ftr->minor_version = 1; 582 } 583 584 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 585 SLOGW("upgrading crypto footer to 1.2"); 586 /* But keep the old kdf_type. 587 * It will get updated later to KDF_SCRYPT after the password has been verified. 588 */ 589 crypt_ftr->kdf_type = KDF_PBKDF2; 590 get_device_scrypt_params(crypt_ftr); 591 crypt_ftr->minor_version = 2; 592 } 593 594 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 595 SLOGW("upgrading crypto footer to 1.3"); 596 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 597 crypt_ftr->minor_version = 3; 598 } 599 600 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 601 if (lseek64(fd, offset, SEEK_SET) == -1) { 602 SLOGE("Cannot seek to crypt footer\n"); 603 return; 604 } 605 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 606 } 607} 608 609 610static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 611{ 612 int fd; 613 unsigned int nr_sec, cnt; 614 off64_t starting_off; 615 int rc = -1; 616 char *fname = NULL; 617 struct stat statbuf; 618 619 if (get_crypt_ftr_info(&fname, &starting_off)) { 620 SLOGE("Unable to get crypt_ftr_info\n"); 621 return -1; 622 } 623 if (fname[0] != '/') { 624 SLOGE("Unexpected value for crypto key location\n"); 625 return -1; 626 } 627 if ( (fd = open(fname, O_RDWR)) < 0) { 628 SLOGE("Cannot open footer file %s for get\n", fname); 629 return -1; 630 } 631 632 /* Make sure it's 16 Kbytes in length */ 633 fstat(fd, &statbuf); 634 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 635 SLOGE("footer file %s is not the expected size!\n", fname); 636 goto errout; 637 } 638 639 /* Seek to the start of the crypt footer */ 640 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 641 SLOGE("Cannot seek to real block device footer\n"); 642 goto errout; 643 } 644 645 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 646 SLOGE("Cannot read real block device footer\n"); 647 goto errout; 648 } 649 650 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 651 SLOGE("Bad magic for real block device %s\n", fname); 652 goto errout; 653 } 654 655 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 656 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 657 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 658 goto errout; 659 } 660 661 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 662 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 663 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 664 } 665 666 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 667 * copy on disk before returning. 668 */ 669 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 670 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 671 } 672 673 /* Success! */ 674 rc = 0; 675 676errout: 677 close(fd); 678 return rc; 679} 680 681static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 682{ 683 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 684 crypt_ftr->persist_data_offset[1]) { 685 SLOGE("Crypt_ftr persist data regions overlap"); 686 return -1; 687 } 688 689 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 690 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 691 return -1; 692 } 693 694 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 695 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 696 CRYPT_FOOTER_OFFSET) { 697 SLOGE("Persistent data extends past crypto footer"); 698 return -1; 699 } 700 701 return 0; 702} 703 704static int load_persistent_data(void) 705{ 706 struct crypt_mnt_ftr crypt_ftr; 707 struct crypt_persist_data *pdata = NULL; 708 char encrypted_state[PROPERTY_VALUE_MAX]; 709 char *fname; 710 int found = 0; 711 int fd; 712 int ret; 713 int i; 714 715 if (persist_data) { 716 /* Nothing to do, we've already loaded or initialized it */ 717 return 0; 718 } 719 720 721 /* If not encrypted, just allocate an empty table and initialize it */ 722 property_get("ro.crypto.state", encrypted_state, ""); 723 if (strcmp(encrypted_state, "encrypted") ) { 724 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 725 if (pdata) { 726 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 727 persist_data = pdata; 728 return 0; 729 } 730 return -1; 731 } 732 733 if(get_crypt_ftr_and_key(&crypt_ftr)) { 734 return -1; 735 } 736 737 if ((crypt_ftr.major_version < 1) 738 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 739 SLOGE("Crypt_ftr version doesn't support persistent data"); 740 return -1; 741 } 742 743 if (get_crypt_ftr_info(&fname, NULL)) { 744 return -1; 745 } 746 747 ret = validate_persistent_data_storage(&crypt_ftr); 748 if (ret) { 749 return -1; 750 } 751 752 fd = open(fname, O_RDONLY); 753 if (fd < 0) { 754 SLOGE("Cannot open %s metadata file", fname); 755 return -1; 756 } 757 758 if (persist_data == NULL) { 759 pdata = malloc(crypt_ftr.persist_data_size); 760 if (pdata == NULL) { 761 SLOGE("Cannot allocate memory for persistent data"); 762 goto err; 763 } 764 } 765 766 for (i = 0; i < 2; i++) { 767 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 768 SLOGE("Cannot seek to read persistent data on %s", fname); 769 goto err2; 770 } 771 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 772 SLOGE("Error reading persistent data on iteration %d", i); 773 goto err2; 774 } 775 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 776 found = 1; 777 break; 778 } 779 } 780 781 if (!found) { 782 SLOGI("Could not find valid persistent data, creating"); 783 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 784 } 785 786 /* Success */ 787 persist_data = pdata; 788 close(fd); 789 return 0; 790 791err2: 792 free(pdata); 793 794err: 795 close(fd); 796 return -1; 797} 798 799static int save_persistent_data(void) 800{ 801 struct crypt_mnt_ftr crypt_ftr; 802 struct crypt_persist_data *pdata; 803 char *fname; 804 off64_t write_offset; 805 off64_t erase_offset; 806 int found = 0; 807 int fd; 808 int ret; 809 810 if (persist_data == NULL) { 811 SLOGE("No persistent data to save"); 812 return -1; 813 } 814 815 if(get_crypt_ftr_and_key(&crypt_ftr)) { 816 return -1; 817 } 818 819 if ((crypt_ftr.major_version < 1) 820 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 821 SLOGE("Crypt_ftr version doesn't support persistent data"); 822 return -1; 823 } 824 825 ret = validate_persistent_data_storage(&crypt_ftr); 826 if (ret) { 827 return -1; 828 } 829 830 if (get_crypt_ftr_info(&fname, NULL)) { 831 return -1; 832 } 833 834 fd = open(fname, O_RDWR); 835 if (fd < 0) { 836 SLOGE("Cannot open %s metadata file", fname); 837 return -1; 838 } 839 840 pdata = malloc(crypt_ftr.persist_data_size); 841 if (pdata == NULL) { 842 SLOGE("Cannot allocate persistant data"); 843 goto err; 844 } 845 846 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 847 SLOGE("Cannot seek to read persistent data on %s", fname); 848 goto err2; 849 } 850 851 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 852 SLOGE("Error reading persistent data before save"); 853 goto err2; 854 } 855 856 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 857 /* The first copy is the curent valid copy, so write to 858 * the second copy and erase this one */ 859 write_offset = crypt_ftr.persist_data_offset[1]; 860 erase_offset = crypt_ftr.persist_data_offset[0]; 861 } else { 862 /* The second copy must be the valid copy, so write to 863 * the first copy, and erase the second */ 864 write_offset = crypt_ftr.persist_data_offset[0]; 865 erase_offset = crypt_ftr.persist_data_offset[1]; 866 } 867 868 /* Write the new copy first, if successful, then erase the old copy */ 869 if (lseek(fd, write_offset, SEEK_SET) < 0) { 870 SLOGE("Cannot seek to write persistent data"); 871 goto err2; 872 } 873 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 874 (int) crypt_ftr.persist_data_size) { 875 if (lseek(fd, erase_offset, SEEK_SET) < 0) { 876 SLOGE("Cannot seek to erase previous persistent data"); 877 goto err2; 878 } 879 fsync(fd); 880 memset(pdata, 0, crypt_ftr.persist_data_size); 881 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 882 (int) crypt_ftr.persist_data_size) { 883 SLOGE("Cannot write to erase previous persistent data"); 884 goto err2; 885 } 886 fsync(fd); 887 } else { 888 SLOGE("Cannot write to save persistent data"); 889 goto err2; 890 } 891 892 /* Success */ 893 free(pdata); 894 close(fd); 895 return 0; 896 897err2: 898 free(pdata); 899err: 900 close(fd); 901 return -1; 902} 903 904static int hexdigit (char c) 905{ 906 if (c >= '0' && c <= '9') return c - '0'; 907 c = tolower(c); 908 if (c >= 'a' && c <= 'f') return c - 'a' + 10; 909 return -1; 910} 911 912static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii, 913 unsigned int* out_keysize) 914{ 915 unsigned int i; 916 *out_keysize = 0; 917 918 size_t size = strlen (master_key_ascii); 919 if (size % 2) { 920 SLOGE("Trying to convert ascii string of odd length"); 921 return NULL; 922 } 923 924 unsigned char* master_key = (unsigned char*) malloc(size / 2); 925 if (master_key == 0) { 926 SLOGE("Cannot allocate"); 927 return NULL; 928 } 929 930 for (i = 0; i < size; i += 2) { 931 int high_nibble = hexdigit (master_key_ascii[i]); 932 int low_nibble = hexdigit (master_key_ascii[i + 1]); 933 934 if(high_nibble < 0 || low_nibble < 0) { 935 SLOGE("Invalid hex string"); 936 free (master_key); 937 return NULL; 938 } 939 940 master_key[*out_keysize] = high_nibble * 16 + low_nibble; 941 (*out_keysize)++; 942 } 943 944 return master_key; 945} 946 947/* Convert a binary key of specified length into an ascii hex string equivalent, 948 * without the leading 0x and with null termination 949 */ 950static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize, 951 char *master_key_ascii) 952{ 953 unsigned int i, a; 954 unsigned char nibble; 955 956 for (i=0, a=0; i<keysize; i++, a+=2) { 957 /* For each byte, write out two ascii hex digits */ 958 nibble = (master_key[i] >> 4) & 0xf; 959 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 960 961 nibble = master_key[i] & 0xf; 962 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 963 } 964 965 /* Add the null termination */ 966 master_key_ascii[a] = '\0'; 967 968} 969 970static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 971 char *real_blk_name, const char *name, int fd, 972 char *extra_params) 973{ 974 char buffer[DM_CRYPT_BUF_SIZE]; 975 struct dm_ioctl *io; 976 struct dm_target_spec *tgt; 977 char *crypt_params; 978 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 979 int i; 980 981 io = (struct dm_ioctl *) buffer; 982 983 /* Load the mapping table for this device */ 984 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 985 986 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 987 io->target_count = 1; 988 tgt->status = 0; 989 tgt->sector_start = 0; 990 tgt->length = crypt_ftr->fs_size; 991 strcpy(tgt->target_type, "crypt"); 992 993 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 994 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 995 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 996 master_key_ascii, real_blk_name, extra_params); 997 crypt_params += strlen(crypt_params) + 1; 998 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 999 tgt->next = crypt_params - buffer; 1000 1001 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1002 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1003 break; 1004 } 1005 usleep(500000); 1006 } 1007 1008 if (i == TABLE_LOAD_RETRIES) { 1009 /* We failed to load the table, return an error */ 1010 return -1; 1011 } else { 1012 return i + 1; 1013 } 1014} 1015 1016 1017static int get_dm_crypt_version(int fd, const char *name, int *version) 1018{ 1019 char buffer[DM_CRYPT_BUF_SIZE]; 1020 struct dm_ioctl *io; 1021 struct dm_target_versions *v; 1022 int i; 1023 1024 io = (struct dm_ioctl *) buffer; 1025 1026 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1027 1028 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1029 return -1; 1030 } 1031 1032 /* Iterate over the returned versions, looking for name of "crypt". 1033 * When found, get and return the version. 1034 */ 1035 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1036 while (v->next) { 1037 if (! strcmp(v->name, "crypt")) { 1038 /* We found the crypt driver, return the version, and get out */ 1039 version[0] = v->version[0]; 1040 version[1] = v->version[1]; 1041 version[2] = v->version[2]; 1042 return 0; 1043 } 1044 v = (struct dm_target_versions *)(((char *)v) + v->next); 1045 } 1046 1047 return -1; 1048} 1049 1050static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 1051 char *real_blk_name, char *crypto_blk_name, const char *name) 1052{ 1053 char buffer[DM_CRYPT_BUF_SIZE]; 1054 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 1055 char *crypt_params; 1056 struct dm_ioctl *io; 1057 struct dm_target_spec *tgt; 1058 unsigned int minor; 1059 int fd; 1060 int i; 1061 int retval = -1; 1062 int version[3]; 1063 char *extra_params; 1064 int load_count; 1065 1066 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1067 SLOGE("Cannot open device-mapper\n"); 1068 goto errout; 1069 } 1070 1071 io = (struct dm_ioctl *) buffer; 1072 1073 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1074 if (ioctl(fd, DM_DEV_CREATE, io)) { 1075 SLOGE("Cannot create dm-crypt device\n"); 1076 goto errout; 1077 } 1078 1079 /* Get the device status, in particular, the name of it's device file */ 1080 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1081 if (ioctl(fd, DM_DEV_STATUS, io)) { 1082 SLOGE("Cannot retrieve dm-crypt device status\n"); 1083 goto errout; 1084 } 1085 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1086 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1087 1088 extra_params = ""; 1089 if (! get_dm_crypt_version(fd, name, version)) { 1090 /* Support for allow_discards was added in version 1.11.0 */ 1091 if ((version[0] >= 2) || 1092 ((version[0] == 1) && (version[1] >= 11))) { 1093 extra_params = "1 allow_discards"; 1094 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1095 } 1096 } 1097 1098 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1099 fd, extra_params); 1100 if (load_count < 0) { 1101 SLOGE("Cannot load dm-crypt mapping table.\n"); 1102 goto errout; 1103 } else if (load_count > 1) { 1104 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1105 } 1106 1107 /* Resume this device to activate it */ 1108 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1109 1110 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1111 SLOGE("Cannot resume the dm-crypt device\n"); 1112 goto errout; 1113 } 1114 1115 /* We made it here with no errors. Woot! */ 1116 retval = 0; 1117 1118errout: 1119 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1120 1121 return retval; 1122} 1123 1124static int delete_crypto_blk_dev(char *name) 1125{ 1126 int fd; 1127 char buffer[DM_CRYPT_BUF_SIZE]; 1128 struct dm_ioctl *io; 1129 int retval = -1; 1130 1131 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1132 SLOGE("Cannot open device-mapper\n"); 1133 goto errout; 1134 } 1135 1136 io = (struct dm_ioctl *) buffer; 1137 1138 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1139 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1140 SLOGE("Cannot remove dm-crypt device\n"); 1141 goto errout; 1142 } 1143 1144 /* We made it here with no errors. Woot! */ 1145 retval = 0; 1146 1147errout: 1148 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1149 1150 return retval; 1151 1152} 1153 1154static int pbkdf2(const char *passwd, const unsigned char *salt, 1155 unsigned char *ikey, void *params UNUSED) 1156{ 1157 SLOGI("Using pbkdf2 for cryptfs KDF"); 1158 1159 /* Turn the password into a key and IV that can decrypt the master key */ 1160 unsigned int keysize; 1161 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize); 1162 if (!master_key) return -1; 1163 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN, 1164 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1165 1166 memset(master_key, 0, keysize); 1167 free (master_key); 1168 return 0; 1169} 1170 1171static int scrypt(const char *passwd, const unsigned char *salt, 1172 unsigned char *ikey, void *params) 1173{ 1174 SLOGI("Using scrypt for cryptfs KDF"); 1175 1176 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1177 1178 int N = 1 << ftr->N_factor; 1179 int r = 1 << ftr->r_factor; 1180 int p = 1 << ftr->p_factor; 1181 1182 /* Turn the password into a key and IV that can decrypt the master key */ 1183 unsigned int keysize; 1184 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize); 1185 if (!master_key) return -1; 1186 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey, 1187 KEY_LEN_BYTES + IV_LEN_BYTES); 1188 1189 memset(master_key, 0, keysize); 1190 free (master_key); 1191 return 0; 1192} 1193 1194static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1195 unsigned char *ikey, void *params) 1196{ 1197 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1198 1199 int rc; 1200 unsigned int key_size; 1201 size_t signature_size; 1202 unsigned char* signature; 1203 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1204 1205 int N = 1 << ftr->N_factor; 1206 int r = 1 << ftr->r_factor; 1207 int p = 1 << ftr->p_factor; 1208 1209 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size); 1210 if (!master_key) { 1211 SLOGE("Failed to convert passwd from hex"); 1212 return -1; 1213 } 1214 1215 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN, 1216 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1217 memset(master_key, 0, key_size); 1218 free(master_key); 1219 1220 if (rc) { 1221 SLOGE("scrypt failed"); 1222 return -1; 1223 } 1224 1225 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1226 &signature, &signature_size)) { 1227 SLOGE("Signing failed"); 1228 return -1; 1229 } 1230 1231 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1232 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1233 free(signature); 1234 1235 if (rc) { 1236 SLOGE("scrypt failed"); 1237 return -1; 1238 } 1239 1240 return 0; 1241} 1242 1243static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1244 const unsigned char *decrypted_master_key, 1245 unsigned char *encrypted_master_key, 1246 struct crypt_mnt_ftr *crypt_ftr) 1247{ 1248 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1249 EVP_CIPHER_CTX e_ctx; 1250 int encrypted_len, final_len; 1251 int rc = 0; 1252 1253 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1254 get_device_scrypt_params(crypt_ftr); 1255 1256 switch (crypt_ftr->kdf_type) { 1257 case KDF_SCRYPT_KEYMASTER_UNPADDED: 1258 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 1259 case KDF_SCRYPT_KEYMASTER: 1260 if (keymaster_create_key(crypt_ftr)) { 1261 SLOGE("keymaster_create_key failed"); 1262 return -1; 1263 } 1264 1265 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1266 SLOGE("scrypt failed"); 1267 return -1; 1268 } 1269 break; 1270 1271 case KDF_SCRYPT: 1272 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1273 SLOGE("scrypt failed"); 1274 return -1; 1275 } 1276 break; 1277 1278 default: 1279 SLOGE("Invalid kdf_type"); 1280 return -1; 1281 } 1282 1283 /* Initialize the decryption engine */ 1284 if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) { 1285 SLOGE("EVP_EncryptInit failed\n"); 1286 return -1; 1287 } 1288 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1289 1290 /* Encrypt the master key */ 1291 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1292 decrypted_master_key, KEY_LEN_BYTES)) { 1293 SLOGE("EVP_EncryptUpdate failed\n"); 1294 return -1; 1295 } 1296 if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1297 SLOGE("EVP_EncryptFinal failed\n"); 1298 return -1; 1299 } 1300 1301 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1302 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1303 return -1; 1304 } 1305 1306 /* Store the scrypt of the intermediate key, so we can validate if it's a 1307 password error or mount error when things go wrong. 1308 Note there's no need to check for errors, since if this is incorrect, we 1309 simply won't wipe userdata, which is the correct default behavior 1310 */ 1311 int N = 1 << crypt_ftr->N_factor; 1312 int r = 1 << crypt_ftr->r_factor; 1313 int p = 1 << crypt_ftr->p_factor; 1314 1315 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1316 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1317 crypt_ftr->scrypted_intermediate_key, 1318 sizeof(crypt_ftr->scrypted_intermediate_key)); 1319 1320 if (rc) { 1321 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1322 } 1323 1324 return 0; 1325} 1326 1327static int decrypt_master_key_aux(char *passwd, unsigned char *salt, 1328 unsigned char *encrypted_master_key, 1329 unsigned char *decrypted_master_key, 1330 kdf_func kdf, void *kdf_params, 1331 unsigned char** intermediate_key, 1332 size_t* intermediate_key_size) 1333{ 1334 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1335 EVP_CIPHER_CTX d_ctx; 1336 int decrypted_len, final_len; 1337 1338 /* Turn the password into an intermediate key and IV that can decrypt the 1339 master key */ 1340 if (kdf(passwd, salt, ikey, kdf_params)) { 1341 SLOGE("kdf failed"); 1342 return -1; 1343 } 1344 1345 /* Initialize the decryption engine */ 1346 if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) { 1347 return -1; 1348 } 1349 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1350 /* Decrypt the master key */ 1351 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1352 encrypted_master_key, KEY_LEN_BYTES)) { 1353 return -1; 1354 } 1355 if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1356 return -1; 1357 } 1358 1359 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1360 return -1; 1361 } 1362 1363 /* Copy intermediate key if needed by params */ 1364 if (intermediate_key && intermediate_key_size) { 1365 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1366 if (intermediate_key) { 1367 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1368 *intermediate_key_size = KEY_LEN_BYTES; 1369 } 1370 } 1371 1372 return 0; 1373} 1374 1375static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1376{ 1377 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED || 1378 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED || 1379 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1380 *kdf = scrypt_keymaster; 1381 *kdf_params = ftr; 1382 } else if (ftr->kdf_type == KDF_SCRYPT) { 1383 *kdf = scrypt; 1384 *kdf_params = ftr; 1385 } else { 1386 *kdf = pbkdf2; 1387 *kdf_params = NULL; 1388 } 1389} 1390 1391static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key, 1392 struct crypt_mnt_ftr *crypt_ftr, 1393 unsigned char** intermediate_key, 1394 size_t* intermediate_key_size) 1395{ 1396 kdf_func kdf; 1397 void *kdf_params; 1398 int ret; 1399 1400 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1401 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1402 decrypted_master_key, kdf, kdf_params, 1403 intermediate_key, intermediate_key_size); 1404 if (ret != 0) { 1405 SLOGW("failure decrypting master key"); 1406 } 1407 1408 return ret; 1409} 1410 1411static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1412 struct crypt_mnt_ftr *crypt_ftr) { 1413 int fd; 1414 unsigned char key_buf[KEY_LEN_BYTES]; 1415 EVP_CIPHER_CTX e_ctx; 1416 int encrypted_len, final_len; 1417 1418 /* Get some random bits for a key */ 1419 fd = open("/dev/urandom", O_RDONLY); 1420 read(fd, key_buf, sizeof(key_buf)); 1421 read(fd, salt, SALT_LEN); 1422 close(fd); 1423 1424 /* Now encrypt it with the password */ 1425 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1426} 1427 1428static int wait_and_unmount(char *mountpoint) 1429{ 1430 int i, rc; 1431#define WAIT_UNMOUNT_COUNT 20 1432 1433 /* Now umount the tmpfs filesystem */ 1434 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1435 if (umount(mountpoint)) { 1436 if (errno == EINVAL) { 1437 /* EINVAL is returned if the directory is not a mountpoint, 1438 * i.e. there is no filesystem mounted there. So just get out. 1439 */ 1440 break; 1441 } 1442 sleep(1); 1443 i++; 1444 } else { 1445 break; 1446 } 1447 } 1448 1449 if (i < WAIT_UNMOUNT_COUNT) { 1450 SLOGD("unmounting %s succeeded\n", mountpoint); 1451 rc = 0; 1452 } else { 1453 SLOGE("unmounting %s failed\n", mountpoint); 1454 rc = -1; 1455 } 1456 1457 return rc; 1458} 1459 1460#define DATA_PREP_TIMEOUT 200 1461static int prep_data_fs(void) 1462{ 1463 int i; 1464 1465 /* Do the prep of the /data filesystem */ 1466 property_set("vold.post_fs_data_done", "0"); 1467 property_set("vold.decrypt", "trigger_post_fs_data"); 1468 SLOGD("Just triggered post_fs_data\n"); 1469 1470 /* Wait a max of 50 seconds, hopefully it takes much less */ 1471 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1472 char p[PROPERTY_VALUE_MAX]; 1473 1474 property_get("vold.post_fs_data_done", p, "0"); 1475 if (*p == '1') { 1476 break; 1477 } else { 1478 usleep(250000); 1479 } 1480 } 1481 if (i == DATA_PREP_TIMEOUT) { 1482 /* Ugh, we failed to prep /data in time. Bail. */ 1483 SLOGE("post_fs_data timed out!\n"); 1484 return -1; 1485 } else { 1486 SLOGD("post_fs_data done\n"); 1487 return 0; 1488 } 1489} 1490 1491static void cryptfs_set_corrupt() 1492{ 1493 // Mark the footer as bad 1494 struct crypt_mnt_ftr crypt_ftr; 1495 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1496 SLOGE("Failed to get crypto footer - panic"); 1497 return; 1498 } 1499 1500 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1501 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1502 SLOGE("Failed to set crypto footer - panic"); 1503 return; 1504 } 1505} 1506 1507static void cryptfs_trigger_restart_min_framework() 1508{ 1509 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1510 SLOGE("Failed to mount tmpfs on data - panic"); 1511 return; 1512 } 1513 1514 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1515 SLOGE("Failed to trigger post fs data - panic"); 1516 return; 1517 } 1518 1519 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1520 SLOGE("Failed to trigger restart min framework - panic"); 1521 return; 1522 } 1523} 1524 1525/* returns < 0 on failure */ 1526static int cryptfs_restart_internal(int restart_main) 1527{ 1528 char fs_type[32]; 1529 char real_blkdev[MAXPATHLEN]; 1530 char crypto_blkdev[MAXPATHLEN]; 1531 char fs_options[256]; 1532 unsigned long mnt_flags; 1533 struct stat statbuf; 1534 int rc = -1, i; 1535 static int restart_successful = 0; 1536 1537 /* Validate that it's OK to call this routine */ 1538 if (! master_key_saved) { 1539 SLOGE("Encrypted filesystem not validated, aborting"); 1540 return -1; 1541 } 1542 1543 if (restart_successful) { 1544 SLOGE("System already restarted with encrypted disk, aborting"); 1545 return -1; 1546 } 1547 1548 if (restart_main) { 1549 /* Here is where we shut down the framework. The init scripts 1550 * start all services in one of three classes: core, main or late_start. 1551 * On boot, we start core and main. Now, we stop main, but not core, 1552 * as core includes vold and a few other really important things that 1553 * we need to keep running. Once main has stopped, we should be able 1554 * to umount the tmpfs /data, then mount the encrypted /data. 1555 * We then restart the class main, and also the class late_start. 1556 * At the moment, I've only put a few things in late_start that I know 1557 * are not needed to bring up the framework, and that also cause problems 1558 * with unmounting the tmpfs /data, but I hope to add add more services 1559 * to the late_start class as we optimize this to decrease the delay 1560 * till the user is asked for the password to the filesystem. 1561 */ 1562 1563 /* The init files are setup to stop the class main when vold.decrypt is 1564 * set to trigger_reset_main. 1565 */ 1566 property_set("vold.decrypt", "trigger_reset_main"); 1567 SLOGD("Just asked init to shut down class main\n"); 1568 1569 /* Ugh, shutting down the framework is not synchronous, so until it 1570 * can be fixed, this horrible hack will wait a moment for it all to 1571 * shut down before proceeding. Without it, some devices cannot 1572 * restart the graphics services. 1573 */ 1574 sleep(2); 1575 } 1576 1577 /* Now that the framework is shutdown, we should be able to umount() 1578 * the tmpfs filesystem, and mount the real one. 1579 */ 1580 1581 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1582 if (strlen(crypto_blkdev) == 0) { 1583 SLOGE("fs_crypto_blkdev not set\n"); 1584 return -1; 1585 } 1586 1587 if (! (rc = wait_and_unmount(DATA_MNT_POINT)) ) { 1588 /* If ro.crypto.readonly is set to 1, mount the decrypted 1589 * filesystem readonly. This is used when /data is mounted by 1590 * recovery mode. 1591 */ 1592 char ro_prop[PROPERTY_VALUE_MAX]; 1593 property_get("ro.crypto.readonly", ro_prop, ""); 1594 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1595 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1596 rec->flags |= MS_RDONLY; 1597 } 1598 1599 /* If that succeeded, then mount the decrypted filesystem */ 1600 int retries = RETRY_MOUNT_ATTEMPTS; 1601 int mount_rc; 1602 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1603 crypto_blkdev, 0)) 1604 != 0) { 1605 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1606 /* TODO: invoke something similar to 1607 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1608 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1609 SLOGI("Failed to mount %s because it is busy - waiting", 1610 crypto_blkdev); 1611 if (--retries) { 1612 sleep(RETRY_MOUNT_DELAY_SECONDS); 1613 } else { 1614 /* Let's hope that a reboot clears away whatever is keeping 1615 the mount busy */ 1616 cryptfs_reboot(reboot); 1617 } 1618 } else { 1619 SLOGE("Failed to mount decrypted data"); 1620 cryptfs_set_corrupt(); 1621 cryptfs_trigger_restart_min_framework(); 1622 SLOGI("Started framework to offer wipe"); 1623 return -1; 1624 } 1625 } 1626 1627 property_set("vold.decrypt", "trigger_load_persist_props"); 1628 /* Create necessary paths on /data */ 1629 if (prep_data_fs()) { 1630 return -1; 1631 } 1632 1633 /* startup service classes main and late_start */ 1634 property_set("vold.decrypt", "trigger_restart_framework"); 1635 SLOGD("Just triggered restart_framework\n"); 1636 1637 /* Give it a few moments to get started */ 1638 sleep(1); 1639 } 1640 1641 if (rc == 0) { 1642 restart_successful = 1; 1643 } 1644 1645 return rc; 1646} 1647 1648int cryptfs_restart(void) 1649{ 1650 /* Call internal implementation forcing a restart of main service group */ 1651 return cryptfs_restart_internal(1); 1652} 1653 1654static int do_crypto_complete(char *mount_point UNUSED) 1655{ 1656 struct crypt_mnt_ftr crypt_ftr; 1657 char encrypted_state[PROPERTY_VALUE_MAX]; 1658 char key_loc[PROPERTY_VALUE_MAX]; 1659 1660 property_get("ro.crypto.state", encrypted_state, ""); 1661 if (strcmp(encrypted_state, "encrypted") ) { 1662 SLOGE("not running with encryption, aborting"); 1663 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1664 } 1665 1666 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1667 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1668 1669 /* 1670 * Only report this error if key_loc is a file and it exists. 1671 * If the device was never encrypted, and /data is not mountable for 1672 * some reason, returning 1 should prevent the UI from presenting the 1673 * a "enter password" screen, or worse, a "press button to wipe the 1674 * device" screen. 1675 */ 1676 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1677 SLOGE("master key file does not exist, aborting"); 1678 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1679 } else { 1680 SLOGE("Error getting crypt footer and key\n"); 1681 return CRYPTO_COMPLETE_BAD_METADATA; 1682 } 1683 } 1684 1685 // Test for possible error flags 1686 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1687 SLOGE("Encryption process is partway completed\n"); 1688 return CRYPTO_COMPLETE_PARTIAL; 1689 } 1690 1691 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1692 SLOGE("Encryption process was interrupted but cannot continue\n"); 1693 return CRYPTO_COMPLETE_INCONSISTENT; 1694 } 1695 1696 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1697 SLOGE("Encryption is successful but data is corrupt\n"); 1698 return CRYPTO_COMPLETE_CORRUPT; 1699 } 1700 1701 /* We passed the test! We shall diminish, and return to the west */ 1702 return CRYPTO_COMPLETE_ENCRYPTED; 1703} 1704 1705static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1706 char *passwd, char *mount_point, char *label) 1707{ 1708 /* Allocate enough space for a 256 bit key, but we may use less */ 1709 unsigned char decrypted_master_key[32]; 1710 char crypto_blkdev[MAXPATHLEN]; 1711 char real_blkdev[MAXPATHLEN]; 1712 char tmp_mount_point[64]; 1713 unsigned int orig_failed_decrypt_count; 1714 int rc; 1715 kdf_func kdf; 1716 void *kdf_params; 1717 int use_keymaster = 0; 1718 int upgrade = 0; 1719 unsigned char* intermediate_key = 0; 1720 size_t intermediate_key_size = 0; 1721 1722 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1723 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1724 1725 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1726 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1727 &intermediate_key, &intermediate_key_size)) { 1728 SLOGE("Failed to decrypt master key\n"); 1729 rc = -1; 1730 goto errout; 1731 } 1732 } 1733 1734 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1735 1736 // Create crypto block device - all (non fatal) code paths 1737 // need it 1738 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1739 real_blkdev, crypto_blkdev, label)) { 1740 SLOGE("Error creating decrypted block device\n"); 1741 rc = -1; 1742 goto errout; 1743 } 1744 1745 /* Work out if the problem is the password or the data */ 1746 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1747 scrypted_intermediate_key)]; 1748 int N = 1 << crypt_ftr->N_factor; 1749 int r = 1 << crypt_ftr->r_factor; 1750 int p = 1 << crypt_ftr->p_factor; 1751 1752 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1753 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1754 N, r, p, scrypted_intermediate_key, 1755 sizeof(scrypted_intermediate_key)); 1756 1757 // Does the key match the crypto footer? 1758 if (rc == 0 && memcmp(scrypted_intermediate_key, 1759 crypt_ftr->scrypted_intermediate_key, 1760 sizeof(scrypted_intermediate_key)) == 0) { 1761 SLOGI("Password matches"); 1762 rc = 0; 1763 } else { 1764 /* Try mounting the file system anyway, just in case the problem's with 1765 * the footer, not the key. */ 1766 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1767 mkdir(tmp_mount_point, 0755); 1768 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1769 SLOGE("Error temp mounting decrypted block device\n"); 1770 delete_crypto_blk_dev(label); 1771 1772 rc = ++crypt_ftr->failed_decrypt_count; 1773 put_crypt_ftr_and_key(crypt_ftr); 1774 } else { 1775 /* Success! */ 1776 SLOGI("Password did not match but decrypted drive mounted - continue"); 1777 umount(tmp_mount_point); 1778 rc = 0; 1779 } 1780 } 1781 1782 if (rc == 0) { 1783 crypt_ftr->failed_decrypt_count = 0; 1784 1785 /* Save the name of the crypto block device 1786 * so we can mount it when restarting the framework. */ 1787 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1788 1789 /* Also save a the master key so we can reencrypted the key 1790 * the key when we want to change the password on it. */ 1791 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1792 saved_mount_point = strdup(mount_point); 1793 master_key_saved = 1; 1794 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1795 rc = 0; 1796 1797 // Upgrade if we're not using the latest KDF. 1798 use_keymaster = keymaster_check_compatibility(); 1799 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1800 // Don't allow downgrade 1801 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1802 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1803 upgrade = 1; 1804 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1805 crypt_ftr->kdf_type = KDF_SCRYPT; 1806 upgrade = 1; 1807 } 1808 1809 if (upgrade) { 1810 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1811 crypt_ftr->master_key, crypt_ftr); 1812 if (!rc) { 1813 rc = put_crypt_ftr_and_key(crypt_ftr); 1814 } 1815 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1816 1817 // Do not fail even if upgrade failed - machine is bootable 1818 // Note that if this code is ever hit, there is a *serious* problem 1819 // since KDFs should never fail. You *must* fix the kdf before 1820 // proceeding! 1821 if (rc) { 1822 SLOGW("Upgrade failed with error %d," 1823 " but continuing with previous state", 1824 rc); 1825 rc = 0; 1826 } 1827 } 1828 } 1829 1830 errout: 1831 if (intermediate_key) { 1832 memset(intermediate_key, 0, intermediate_key_size); 1833 free(intermediate_key); 1834 } 1835 return rc; 1836} 1837 1838/* Called by vold when it wants to undo the crypto mapping of a volume it 1839 * manages. This is usually in response to a factory reset, when we want 1840 * to undo the crypto mapping so the volume is formatted in the clear. 1841 */ 1842int cryptfs_revert_volume(const char *label) 1843{ 1844 return delete_crypto_blk_dev((char *)label); 1845} 1846 1847/* 1848 * Called by vold when it's asked to mount an encrypted, nonremovable volume. 1849 * Setup a dm-crypt mapping, use the saved master key from 1850 * setting up the /data mapping, and return the new device path. 1851 */ 1852int cryptfs_setup_volume(const char *label, int major, int minor, 1853 char *crypto_sys_path, unsigned int max_path, 1854 int *new_major, int *new_minor) 1855{ 1856 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN]; 1857 struct crypt_mnt_ftr sd_crypt_ftr; 1858 struct stat statbuf; 1859 int nr_sec, fd; 1860 1861 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor); 1862 1863 get_crypt_ftr_and_key(&sd_crypt_ftr); 1864 1865 /* Update the fs_size field to be the size of the volume */ 1866 fd = open(real_blkdev, O_RDONLY); 1867 nr_sec = get_blkdev_size(fd); 1868 close(fd); 1869 if (nr_sec == 0) { 1870 SLOGE("Cannot get size of volume %s\n", real_blkdev); 1871 return -1; 1872 } 1873 1874 sd_crypt_ftr.fs_size = nr_sec; 1875 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev, 1876 crypto_blkdev, label); 1877 1878 stat(crypto_blkdev, &statbuf); 1879 *new_major = MAJOR(statbuf.st_rdev); 1880 *new_minor = MINOR(statbuf.st_rdev); 1881 1882 /* Create path to sys entry for this block device */ 1883 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1); 1884 1885 return 0; 1886} 1887 1888int cryptfs_crypto_complete(void) 1889{ 1890 return do_crypto_complete("/data"); 1891} 1892 1893int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1894{ 1895 char encrypted_state[PROPERTY_VALUE_MAX]; 1896 property_get("ro.crypto.state", encrypted_state, ""); 1897 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1898 SLOGE("encrypted fs already validated or not running with encryption," 1899 " aborting"); 1900 return -1; 1901 } 1902 1903 if (get_crypt_ftr_and_key(crypt_ftr)) { 1904 SLOGE("Error getting crypt footer and key"); 1905 return -1; 1906 } 1907 1908 return 0; 1909} 1910 1911int cryptfs_check_passwd(char *passwd) 1912{ 1913 struct crypt_mnt_ftr crypt_ftr; 1914 int rc; 1915 1916 rc = check_unmounted_and_get_ftr(&crypt_ftr); 1917 if (rc) 1918 return rc; 1919 1920 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 1921 DATA_MNT_POINT, "userdata"); 1922 1923 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 1924 cryptfs_clear_password(); 1925 password = strdup(passwd); 1926 struct timespec now; 1927 clock_gettime(CLOCK_BOOTTIME, &now); 1928 password_expiry_time = now.tv_sec + password_max_age_seconds; 1929 } 1930 1931 return rc; 1932} 1933 1934int cryptfs_verify_passwd(char *passwd) 1935{ 1936 struct crypt_mnt_ftr crypt_ftr; 1937 /* Allocate enough space for a 256 bit key, but we may use less */ 1938 unsigned char decrypted_master_key[32]; 1939 char encrypted_state[PROPERTY_VALUE_MAX]; 1940 int rc; 1941 1942 property_get("ro.crypto.state", encrypted_state, ""); 1943 if (strcmp(encrypted_state, "encrypted") ) { 1944 SLOGE("device not encrypted, aborting"); 1945 return -2; 1946 } 1947 1948 if (!master_key_saved) { 1949 SLOGE("encrypted fs not yet mounted, aborting"); 1950 return -1; 1951 } 1952 1953 if (!saved_mount_point) { 1954 SLOGE("encrypted fs failed to save mount point, aborting"); 1955 return -1; 1956 } 1957 1958 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1959 SLOGE("Error getting crypt footer and key\n"); 1960 return -1; 1961 } 1962 1963 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 1964 /* If the device has no password, then just say the password is valid */ 1965 rc = 0; 1966 } else { 1967 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 1968 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 1969 /* They match, the password is correct */ 1970 rc = 0; 1971 } else { 1972 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 1973 sleep(1); 1974 rc = 1; 1975 } 1976 } 1977 1978 return rc; 1979} 1980 1981/* Initialize a crypt_mnt_ftr structure. The keysize is 1982 * defaulted to 16 bytes, and the filesystem size to 0. 1983 * Presumably, at a minimum, the caller will update the 1984 * filesystem size and crypto_type_name after calling this function. 1985 */ 1986static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 1987{ 1988 off64_t off; 1989 1990 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 1991 ftr->magic = CRYPT_MNT_MAGIC; 1992 ftr->major_version = CURRENT_MAJOR_VERSION; 1993 ftr->minor_version = CURRENT_MINOR_VERSION; 1994 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 1995 ftr->keysize = KEY_LEN_BYTES; 1996 1997 switch (keymaster_check_compatibility()) { 1998 case 1: 1999 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2000 break; 2001 2002 case 0: 2003 ftr->kdf_type = KDF_SCRYPT; 2004 break; 2005 2006 default: 2007 SLOGE("keymaster_check_compatibility failed"); 2008 return -1; 2009 } 2010 2011 get_device_scrypt_params(ftr); 2012 2013 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2014 if (get_crypt_ftr_info(NULL, &off) == 0) { 2015 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2016 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2017 ftr->persist_data_size; 2018 } 2019 2020 return 0; 2021} 2022 2023static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2024{ 2025 const char *args[10]; 2026 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2027 int num_args; 2028 int status; 2029 int tmp; 2030 int rc = -1; 2031 2032 if (type == EXT4_FS) { 2033 args[0] = "/system/bin/make_ext4fs"; 2034 args[1] = "-a"; 2035 args[2] = "/data"; 2036 args[3] = "-l"; 2037 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2038 args[4] = size_str; 2039 args[5] = crypto_blkdev; 2040 num_args = 6; 2041 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2042 args[0], args[1], args[2], args[3], args[4], args[5]); 2043 } else if (type == F2FS_FS) { 2044 args[0] = "/system/bin/mkfs.f2fs"; 2045 args[1] = "-t"; 2046 args[2] = "-d1"; 2047 args[3] = crypto_blkdev; 2048 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2049 args[4] = size_str; 2050 num_args = 5; 2051 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2052 args[0], args[1], args[2], args[3], args[4]); 2053 } else { 2054 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2055 return -1; 2056 } 2057 2058 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2059 2060 if (tmp != 0) { 2061 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2062 } else { 2063 if (WIFEXITED(status)) { 2064 if (WEXITSTATUS(status)) { 2065 SLOGE("Error creating filesystem on %s, exit status %d ", 2066 crypto_blkdev, WEXITSTATUS(status)); 2067 } else { 2068 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2069 rc = 0; 2070 } 2071 } else { 2072 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2073 } 2074 } 2075 2076 return rc; 2077} 2078 2079#define CRYPT_INPLACE_BUFSIZE 4096 2080#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2081#define CRYPT_SECTOR_SIZE 512 2082 2083/* aligned 32K writes tends to make flash happy. 2084 * SD card association recommends it. 2085 */ 2086#define BLOCKS_AT_A_TIME 8 2087 2088struct encryptGroupsData 2089{ 2090 int realfd; 2091 int cryptofd; 2092 off64_t numblocks; 2093 off64_t one_pct, cur_pct, new_pct; 2094 off64_t blocks_already_done, tot_numblocks; 2095 off64_t used_blocks_already_done, tot_used_blocks; 2096 char* real_blkdev, * crypto_blkdev; 2097 int count; 2098 off64_t offset; 2099 char* buffer; 2100 off64_t last_written_sector; 2101 int completed; 2102 time_t time_started; 2103 int remaining_time; 2104}; 2105 2106static void update_progress(struct encryptGroupsData* data, int is_used) 2107{ 2108 data->blocks_already_done++; 2109 2110 if (is_used) { 2111 data->used_blocks_already_done++; 2112 } 2113 if (data->tot_used_blocks) { 2114 data->new_pct = data->used_blocks_already_done / data->one_pct; 2115 } else { 2116 data->new_pct = data->blocks_already_done / data->one_pct; 2117 } 2118 2119 if (data->new_pct > data->cur_pct) { 2120 char buf[8]; 2121 data->cur_pct = data->new_pct; 2122 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2123 property_set("vold.encrypt_progress", buf); 2124 SLOGI("Encrypted %" PRId64 " percent of drive", data->cur_pct); 2125 } 2126 2127 if (data->cur_pct >= 5) { 2128 double elapsed_time = difftime(time(NULL), data->time_started); 2129 off64_t remaining_blocks = data->tot_used_blocks 2130 - data->used_blocks_already_done; 2131 int remaining_time = (int)(elapsed_time * remaining_blocks 2132 / data->used_blocks_already_done); 2133 2134 // Change time only if not yet set, lower, or a lot higher for 2135 // best user experience 2136 if (data->remaining_time == -1 2137 || remaining_time < data->remaining_time 2138 || remaining_time > data->remaining_time + 60) { 2139 char buf[8]; 2140 snprintf(buf, sizeof(buf), "%d", remaining_time); 2141 property_set("vold.encrypt_time_remaining", buf); 2142 2143 SLOGI("Encrypted %" PRId64 " percent of drive, %d seconds to go", 2144 data->cur_pct, remaining_time); 2145 data->remaining_time = remaining_time; 2146 } 2147 } 2148} 2149 2150static int flush_outstanding_data(struct encryptGroupsData* data) 2151{ 2152 if (data->count == 0) { 2153 return 0; 2154 } 2155 2156 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2157 2158 if (pread64(data->realfd, data->buffer, 2159 info.block_size * data->count, data->offset) 2160 <= 0) { 2161 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2162 data->real_blkdev); 2163 return -1; 2164 } 2165 2166 if (pwrite64(data->cryptofd, data->buffer, 2167 info.block_size * data->count, data->offset) 2168 <= 0) { 2169 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2170 data->crypto_blkdev); 2171 return -1; 2172 } else { 2173 SLOGI("Encrypted %d blocks at sector %" PRId64, 2174 data->count, data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2175 } 2176 2177 data->count = 0; 2178 data->last_written_sector = (data->offset + data->count) 2179 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2180 return 0; 2181} 2182 2183static int encrypt_groups(struct encryptGroupsData* data) 2184{ 2185 unsigned int i; 2186 u8 *block_bitmap = 0; 2187 unsigned int block; 2188 off64_t ret; 2189 int rc = -1; 2190 2191 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2192 if (!data->buffer) { 2193 SLOGE("Failed to allocate crypto buffer"); 2194 goto errout; 2195 } 2196 2197 block_bitmap = malloc(info.block_size); 2198 if (!block_bitmap) { 2199 SLOGE("failed to allocate block bitmap"); 2200 goto errout; 2201 } 2202 2203 for (i = 0; i < aux_info.groups; ++i) { 2204 SLOGI("Encrypting group %d", i); 2205 2206 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2207 u32 block_count = min(info.blocks_per_group, 2208 aux_info.len_blocks - first_block); 2209 2210 off64_t offset = (u64)info.block_size 2211 * aux_info.bg_desc[i].bg_block_bitmap; 2212 2213 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2214 if (ret != (int)info.block_size) { 2215 SLOGE("failed to read all of block group bitmap %d", i); 2216 goto errout; 2217 } 2218 2219 offset = (u64)info.block_size * first_block; 2220 2221 data->count = 0; 2222 2223 for (block = 0; block < block_count; block++) { 2224 int used = bitmap_get_bit(block_bitmap, block); 2225 update_progress(data, used); 2226 if (used) { 2227 if (data->count == 0) { 2228 data->offset = offset; 2229 } 2230 data->count++; 2231 } else { 2232 if (flush_outstanding_data(data)) { 2233 goto errout; 2234 } 2235 } 2236 2237 offset += info.block_size; 2238 2239 /* Write data if we are aligned or buffer size reached */ 2240 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2241 || data->count == BLOCKS_AT_A_TIME) { 2242 if (flush_outstanding_data(data)) { 2243 goto errout; 2244 } 2245 } 2246 2247 if (!is_battery_ok_to_continue()) { 2248 SLOGE("Stopping encryption due to low battery"); 2249 rc = 0; 2250 goto errout; 2251 } 2252 2253 } 2254 if (flush_outstanding_data(data)) { 2255 goto errout; 2256 } 2257 } 2258 2259 data->completed = 1; 2260 rc = 0; 2261 2262errout: 2263 free(data->buffer); 2264 free(block_bitmap); 2265 return rc; 2266} 2267 2268static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2269 char *real_blkdev, 2270 off64_t size, 2271 off64_t *size_already_done, 2272 off64_t tot_size, 2273 off64_t previously_encrypted_upto) 2274{ 2275 u32 i; 2276 struct encryptGroupsData data; 2277 int rc; // Can't initialize without causing warning -Wclobbered 2278 2279 if (previously_encrypted_upto > *size_already_done) { 2280 SLOGD("Not fast encrypting since resuming part way through"); 2281 return -1; 2282 } 2283 2284 memset(&data, 0, sizeof(data)); 2285 data.real_blkdev = real_blkdev; 2286 data.crypto_blkdev = crypto_blkdev; 2287 2288 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) { 2289 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", 2290 real_blkdev); 2291 rc = -1; 2292 goto errout; 2293 } 2294 2295 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2296 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", 2297 crypto_blkdev); 2298 rc = -1; 2299 goto errout; 2300 } 2301 2302 if (setjmp(setjmp_env)) { 2303 SLOGE("Reading extent caused an exception"); 2304 rc = -1; 2305 goto errout; 2306 } 2307 2308 if (read_ext(data.realfd, 0) != 0) { 2309 SLOGE("Failed to read extent"); 2310 rc = -1; 2311 goto errout; 2312 } 2313 2314 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2315 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2316 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2317 2318 SLOGI("Encrypting filesystem in place..."); 2319 2320 data.tot_used_blocks = data.numblocks; 2321 for (i = 0; i < aux_info.groups; ++i) { 2322 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2323 } 2324 2325 data.one_pct = data.tot_used_blocks / 100; 2326 data.cur_pct = 0; 2327 data.time_started = time(NULL); 2328 data.remaining_time = -1; 2329 2330 rc = encrypt_groups(&data); 2331 if (rc) { 2332 SLOGE("Error encrypting groups"); 2333 goto errout; 2334 } 2335 2336 *size_already_done += data.completed ? size : data.last_written_sector; 2337 rc = 0; 2338 2339errout: 2340 close(data.realfd); 2341 close(data.cryptofd); 2342 2343 return rc; 2344} 2345 2346static int encrypt_one_block_f2fs(u64 pos, void *data) 2347{ 2348 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2349 2350 priv_dat->blocks_already_done = pos - 1; 2351 update_progress(priv_dat, 1); 2352 2353 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2354 2355 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2356 SLOGE("Error reading real_blkdev %s for inplace encrypt", priv_dat->crypto_blkdev); 2357 return -1; 2358 } 2359 2360 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2361 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", priv_dat->crypto_blkdev); 2362 return -1; 2363 } else { 2364 SLOGD("Encrypted block %"PRIu64, pos); 2365 } 2366 2367 return 0; 2368} 2369 2370static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2371 char *real_blkdev, 2372 off64_t size, 2373 off64_t *size_already_done, 2374 off64_t tot_size, 2375 off64_t previously_encrypted_upto) 2376{ 2377 u32 i; 2378 struct encryptGroupsData data; 2379 struct f2fs_info *f2fs_info = NULL; 2380 int rc = -1; 2381 if (previously_encrypted_upto > *size_already_done) { 2382 SLOGD("Not fast encrypting since resuming part way through"); 2383 return -1; 2384 } 2385 memset(&data, 0, sizeof(data)); 2386 data.real_blkdev = real_blkdev; 2387 data.crypto_blkdev = crypto_blkdev; 2388 data.realfd = -1; 2389 data.cryptofd = -1; 2390 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) { 2391 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", 2392 real_blkdev); 2393 goto errout; 2394 } 2395 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) { 2396 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", 2397 crypto_blkdev); 2398 goto errout; 2399 } 2400 2401 f2fs_info = generate_f2fs_info(data.realfd); 2402 if (!f2fs_info) 2403 goto errout; 2404 2405 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2406 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2407 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2408 2409 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2410 2411 data.one_pct = data.tot_used_blocks / 100; 2412 data.cur_pct = 0; 2413 data.time_started = time(NULL); 2414 data.remaining_time = -1; 2415 2416 data.buffer = malloc(f2fs_info->block_size); 2417 if (!data.buffer) { 2418 SLOGE("Failed to allocate crypto buffer"); 2419 goto errout; 2420 } 2421 2422 data.count = 0; 2423 2424 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2425 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2426 2427 if (rc) { 2428 SLOGE("Error in running over blocks"); 2429 goto errout; 2430 } 2431 2432 *size_already_done += size; 2433 rc = 0; 2434 2435errout: 2436 if (rc) 2437 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2438 2439 free(f2fs_info); 2440 free(data.buffer); 2441 close(data.realfd); 2442 close(data.cryptofd); 2443 2444 return rc; 2445} 2446 2447static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2448 off64_t size, off64_t *size_already_done, 2449 off64_t tot_size, 2450 off64_t previously_encrypted_upto) 2451{ 2452 int realfd, cryptofd; 2453 char *buf[CRYPT_INPLACE_BUFSIZE]; 2454 int rc = -1; 2455 off64_t numblocks, i, remainder; 2456 off64_t one_pct, cur_pct, new_pct; 2457 off64_t blocks_already_done, tot_numblocks; 2458 2459 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) { 2460 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2461 return -1; 2462 } 2463 2464 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2465 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", crypto_blkdev); 2466 close(realfd); 2467 return -1; 2468 } 2469 2470 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2471 * The size passed in is the number of 512 byte sectors in the filesystem. 2472 * So compute the number of whole 4K blocks we should read/write, 2473 * and the remainder. 2474 */ 2475 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2476 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2477 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2478 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2479 2480 SLOGE("Encrypting filesystem in place..."); 2481 2482 i = previously_encrypted_upto + 1 - *size_already_done; 2483 2484 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2485 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2486 goto errout; 2487 } 2488 2489 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2490 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2491 goto errout; 2492 } 2493 2494 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2495 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2496 SLOGE("Error reading initial sectors from real_blkdev %s for " 2497 "inplace encrypt\n", crypto_blkdev); 2498 goto errout; 2499 } 2500 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2501 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2502 "inplace encrypt\n", crypto_blkdev); 2503 goto errout; 2504 } else { 2505 SLOGI("Encrypted 1 block at %" PRId64, i); 2506 } 2507 } 2508 2509 one_pct = tot_numblocks / 100; 2510 cur_pct = 0; 2511 /* process the majority of the filesystem in blocks */ 2512 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2513 new_pct = (i + blocks_already_done) / one_pct; 2514 if (new_pct > cur_pct) { 2515 char buf[8]; 2516 2517 cur_pct = new_pct; 2518 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2519 property_set("vold.encrypt_progress", buf); 2520 } 2521 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2522 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2523 goto errout; 2524 } 2525 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2526 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2527 goto errout; 2528 } else { 2529 SLOGD("Encrypted %d block at %" PRId64, 2530 CRYPT_SECTORS_PER_BUFSIZE, 2531 i * CRYPT_SECTORS_PER_BUFSIZE); 2532 } 2533 2534 if (!is_battery_ok_to_continue()) { 2535 SLOGE("Stopping encryption due to low battery"); 2536 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2537 rc = 0; 2538 goto errout; 2539 } 2540 } 2541 2542 /* Do any remaining sectors */ 2543 for (i=0; i<remainder; i++) { 2544 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2545 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2546 goto errout; 2547 } 2548 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2549 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2550 goto errout; 2551 } else { 2552 SLOGI("Encrypted 1 block at next location"); 2553 } 2554 } 2555 2556 *size_already_done += size; 2557 rc = 0; 2558 2559errout: 2560 close(realfd); 2561 close(cryptofd); 2562 2563 return rc; 2564} 2565 2566static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2567 off64_t size, off64_t *size_already_done, 2568 off64_t tot_size, 2569 off64_t previously_encrypted_upto) 2570{ 2571 if (previously_encrypted_upto) { 2572 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2573 } 2574 2575 if (*size_already_done + size < previously_encrypted_upto) { 2576 *size_already_done += size; 2577 return 0; 2578 } 2579 2580 /* TODO: identify filesystem type. 2581 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2582 * then we will drop down to cryptfs_enable_inplace_f2fs. 2583 * */ 2584 if (cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2585 size, size_already_done, 2586 tot_size, previously_encrypted_upto) == 0) { 2587 return 0; 2588 } 2589 2590 if (cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2591 size, size_already_done, 2592 tot_size, previously_encrypted_upto) == 0) { 2593 return 0; 2594 } 2595 2596 return cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2597 size, size_already_done, tot_size, 2598 previously_encrypted_upto); 2599} 2600 2601#define CRYPTO_ENABLE_WIPE 1 2602#define CRYPTO_ENABLE_INPLACE 2 2603 2604#define FRAMEWORK_BOOT_WAIT 60 2605 2606static inline int should_encrypt(struct volume_info *volume) 2607{ 2608 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) == 2609 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE); 2610} 2611 2612static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2613{ 2614 int fd = open(filename, O_RDONLY); 2615 if (fd == -1) { 2616 SLOGE("Error opening file %s", filename); 2617 return -1; 2618 } 2619 2620 char block[CRYPT_INPLACE_BUFSIZE]; 2621 memset(block, 0, sizeof(block)); 2622 if (unix_read(fd, block, sizeof(block)) < 0) { 2623 SLOGE("Error reading file %s", filename); 2624 close(fd); 2625 return -1; 2626 } 2627 2628 close(fd); 2629 2630 SHA256_CTX c; 2631 SHA256_Init(&c); 2632 SHA256_Update(&c, block, sizeof(block)); 2633 SHA256_Final(buf, &c); 2634 2635 return 0; 2636} 2637 2638static int get_fs_type(struct fstab_rec *rec) 2639{ 2640 if (!strcmp(rec->fs_type, "ext4")) { 2641 return EXT4_FS; 2642 } else if (!strcmp(rec->fs_type, "f2fs")) { 2643 return F2FS_FS; 2644 } else { 2645 return -1; 2646 } 2647} 2648 2649static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2650 char *crypto_blkdev, char *real_blkdev, 2651 int previously_encrypted_upto) 2652{ 2653 off64_t cur_encryption_done=0, tot_encryption_size=0; 2654 int i, rc = -1; 2655 2656 if (!is_battery_ok_to_start()) { 2657 SLOGW("Not starting encryption due to low battery"); 2658 return 0; 2659 } 2660 2661 /* The size of the userdata partition, and add in the vold volumes below */ 2662 tot_encryption_size = crypt_ftr->fs_size; 2663 2664 if (how == CRYPTO_ENABLE_WIPE) { 2665 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2666 int fs_type = get_fs_type(rec); 2667 if (fs_type < 0) { 2668 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2669 return -1; 2670 } 2671 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2672 } else if (how == CRYPTO_ENABLE_INPLACE) { 2673 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2674 crypt_ftr->fs_size, &cur_encryption_done, 2675 tot_encryption_size, 2676 previously_encrypted_upto); 2677 2678 if (!rc) { 2679 crypt_ftr->encrypted_upto = cur_encryption_done; 2680 } 2681 2682 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2683 /* The inplace routine never actually sets the progress to 100% due 2684 * to the round down nature of integer division, so set it here */ 2685 property_set("vold.encrypt_progress", "100"); 2686 } 2687 } else { 2688 /* Shouldn't happen */ 2689 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2690 rc = -1; 2691 } 2692 2693 return rc; 2694} 2695 2696int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2697 int allow_reboot) 2698{ 2699 int how = 0; 2700 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2701 unsigned long nr_sec; 2702 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2703 int rc=-1, fd, i, ret; 2704 struct crypt_mnt_ftr crypt_ftr; 2705 struct crypt_persist_data *pdata; 2706 char encrypted_state[PROPERTY_VALUE_MAX]; 2707 char lockid[32] = { 0 }; 2708 char key_loc[PROPERTY_VALUE_MAX]; 2709 char fuse_sdcard[PROPERTY_VALUE_MAX]; 2710 char *sd_mnt_point; 2711 int num_vols; 2712 struct volume_info *vol_list = 0; 2713 off64_t previously_encrypted_upto = 0; 2714 2715 if (!strcmp(howarg, "wipe")) { 2716 how = CRYPTO_ENABLE_WIPE; 2717 } else if (! strcmp(howarg, "inplace")) { 2718 how = CRYPTO_ENABLE_INPLACE; 2719 } else { 2720 /* Shouldn't happen, as CommandListener vets the args */ 2721 goto error_unencrypted; 2722 } 2723 2724 /* See if an encryption was underway and interrupted */ 2725 if (how == CRYPTO_ENABLE_INPLACE 2726 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2727 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2728 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2729 crypt_ftr.encrypted_upto = 0; 2730 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2731 2732 /* At this point, we are in an inconsistent state. Until we successfully 2733 complete encryption, a reboot will leave us broken. So mark the 2734 encryption failed in case that happens. 2735 On successfully completing encryption, remove this flag */ 2736 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2737 2738 put_crypt_ftr_and_key(&crypt_ftr); 2739 } 2740 2741 property_get("ro.crypto.state", encrypted_state, ""); 2742 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2743 SLOGE("Device is already running encrypted, aborting"); 2744 goto error_unencrypted; 2745 } 2746 2747 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2748 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2749 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2750 2751 /* Get the size of the real block device */ 2752 fd = open(real_blkdev, O_RDONLY); 2753 if ( (nr_sec = get_blkdev_size(fd)) == 0) { 2754 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2755 goto error_unencrypted; 2756 } 2757 close(fd); 2758 2759 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2760 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2761 unsigned int fs_size_sec, max_fs_size_sec; 2762 fs_size_sec = get_fs_size(real_blkdev); 2763 if (fs_size_sec == 0) 2764 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2765 2766 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2767 2768 if (fs_size_sec > max_fs_size_sec) { 2769 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2770 goto error_unencrypted; 2771 } 2772 } 2773 2774 /* Get a wakelock as this may take a while, and we don't want the 2775 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2776 * wants to keep the screen on, it can grab a full wakelock. 2777 */ 2778 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2779 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2780 2781 /* Get the sdcard mount point */ 2782 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE"); 2783 if (!sd_mnt_point) { 2784 sd_mnt_point = getenv("EXTERNAL_STORAGE"); 2785 } 2786 if (!sd_mnt_point) { 2787 sd_mnt_point = "/mnt/sdcard"; 2788 } 2789 2790 /* TODO 2791 * Currently do not have test devices with multiple encryptable volumes. 2792 * When we acquire some, re-add support. 2793 */ 2794 num_vols=vold_getNumDirectVolumes(); 2795 vol_list = malloc(sizeof(struct volume_info) * num_vols); 2796 vold_getDirectVolumeList(vol_list); 2797 2798 for (i=0; i<num_vols; i++) { 2799 if (should_encrypt(&vol_list[i])) { 2800 SLOGE("Cannot encrypt if there are multiple encryptable volumes" 2801 "%s\n", vol_list[i].label); 2802 goto error_unencrypted; 2803 } 2804 } 2805 2806 /* The init files are setup to stop the class main and late start when 2807 * vold sets trigger_shutdown_framework. 2808 */ 2809 property_set("vold.decrypt", "trigger_shutdown_framework"); 2810 SLOGD("Just asked init to shut down class main\n"); 2811 2812 if (vold_unmountAllAsecs()) { 2813 /* Just report the error. If any are left mounted, 2814 * umounting /data below will fail and handle the error. 2815 */ 2816 SLOGE("Error unmounting internal asecs"); 2817 } 2818 2819 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, ""); 2820 if (!strcmp(fuse_sdcard, "true")) { 2821 /* This is a device using the fuse layer to emulate the sdcard semantics 2822 * on top of the userdata partition. vold does not manage it, it is managed 2823 * by the sdcard service. The sdcard service was killed by the property trigger 2824 * above, so just unmount it now. We must do this _AFTER_ killing the framework, 2825 * unlike the case for vold managed devices above. 2826 */ 2827 if (wait_and_unmount(sd_mnt_point)) { 2828 goto error_shutting_down; 2829 } 2830 } 2831 2832 /* Now unmount the /data partition. */ 2833 if (wait_and_unmount(DATA_MNT_POINT)) { 2834 if (allow_reboot) { 2835 goto error_shutting_down; 2836 } else { 2837 goto error_unencrypted; 2838 } 2839 } 2840 2841 /* Do extra work for a better UX when doing the long inplace encryption */ 2842 if (how == CRYPTO_ENABLE_INPLACE) { 2843 /* Now that /data is unmounted, we need to mount a tmpfs 2844 * /data, set a property saying we're doing inplace encryption, 2845 * and restart the framework. 2846 */ 2847 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 2848 goto error_shutting_down; 2849 } 2850 /* Tells the framework that inplace encryption is starting */ 2851 property_set("vold.encrypt_progress", "0"); 2852 2853 /* restart the framework. */ 2854 /* Create necessary paths on /data */ 2855 if (prep_data_fs()) { 2856 goto error_shutting_down; 2857 } 2858 2859 /* Ugh, shutting down the framework is not synchronous, so until it 2860 * can be fixed, this horrible hack will wait a moment for it all to 2861 * shut down before proceeding. Without it, some devices cannot 2862 * restart the graphics services. 2863 */ 2864 sleep(2); 2865 2866 /* startup service classes main and late_start */ 2867 property_set("vold.decrypt", "trigger_restart_min_framework"); 2868 SLOGD("Just triggered restart_min_framework\n"); 2869 2870 /* OK, the framework is restarted and will soon be showing a 2871 * progress bar. Time to setup an encrypted mapping, and 2872 * either write a new filesystem, or encrypt in place updating 2873 * the progress bar as we work. 2874 */ 2875 } 2876 2877 /* Start the actual work of making an encrypted filesystem */ 2878 /* Initialize a crypt_mnt_ftr for the partition */ 2879 if (previously_encrypted_upto == 0) { 2880 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 2881 goto error_shutting_down; 2882 } 2883 2884 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 2885 crypt_ftr.fs_size = nr_sec 2886 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2887 } else { 2888 crypt_ftr.fs_size = nr_sec; 2889 } 2890 /* At this point, we are in an inconsistent state. Until we successfully 2891 complete encryption, a reboot will leave us broken. So mark the 2892 encryption failed in case that happens. 2893 On successfully completing encryption, remove this flag */ 2894 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2895 crypt_ftr.crypt_type = crypt_type; 2896 strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256"); 2897 2898 /* Make an encrypted master key */ 2899 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 2900 SLOGE("Cannot create encrypted master key\n"); 2901 goto error_shutting_down; 2902 } 2903 2904 /* Write the key to the end of the partition */ 2905 put_crypt_ftr_and_key(&crypt_ftr); 2906 2907 /* If any persistent data has been remembered, save it. 2908 * If none, create a valid empty table and save that. 2909 */ 2910 if (!persist_data) { 2911 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 2912 if (pdata) { 2913 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 2914 persist_data = pdata; 2915 } 2916 } 2917 if (persist_data) { 2918 save_persistent_data(); 2919 } 2920 } 2921 2922 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2923 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 2924 "userdata"); 2925 2926 /* If we are continuing, check checksums match */ 2927 rc = 0; 2928 if (previously_encrypted_upto) { 2929 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 2930 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 2931 2932 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 2933 sizeof(hash_first_block)) != 0) { 2934 SLOGE("Checksums do not match - trigger wipe"); 2935 rc = -1; 2936 } 2937 } 2938 2939 if (!rc) { 2940 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 2941 crypto_blkdev, real_blkdev, 2942 previously_encrypted_upto); 2943 } 2944 2945 /* Calculate checksum if we are not finished */ 2946 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 2947 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 2948 crypt_ftr.hash_first_block); 2949 if (rc) { 2950 SLOGE("Error calculating checksum for continuing encryption"); 2951 rc = -1; 2952 } 2953 } 2954 2955 /* Undo the dm-crypt mapping whether we succeed or not */ 2956 delete_crypto_blk_dev("userdata"); 2957 2958 free(vol_list); 2959 2960 if (! rc) { 2961 /* Success */ 2962 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 2963 2964 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 2965 SLOGD("Encrypted up to sector %lld - will continue after reboot", 2966 crypt_ftr.encrypted_upto); 2967 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 2968 } 2969 2970 put_crypt_ftr_and_key(&crypt_ftr); 2971 2972 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 2973 char value[PROPERTY_VALUE_MAX]; 2974 property_get("ro.crypto.state", value, ""); 2975 if (!strcmp(value, "")) { 2976 /* default encryption - continue first boot sequence */ 2977 property_set("ro.crypto.state", "encrypted"); 2978 release_wake_lock(lockid); 2979 cryptfs_check_passwd(DEFAULT_PASSWORD); 2980 cryptfs_restart_internal(1); 2981 return 0; 2982 } else { 2983 sleep(2); /* Give the UI a chance to show 100% progress */ 2984 cryptfs_reboot(reboot); 2985 } 2986 } else { 2987 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 2988 cryptfs_reboot(shutdown); 2989 } 2990 } else { 2991 char value[PROPERTY_VALUE_MAX]; 2992 2993 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 2994 if (!strcmp(value, "1")) { 2995 /* wipe data if encryption failed */ 2996 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 2997 mkdir("/cache/recovery", 0700); 2998 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600); 2999 if (fd >= 0) { 3000 write(fd, "--wipe_data", strlen("--wipe_data") + 1); 3001 close(fd); 3002 } else { 3003 SLOGE("could not open /cache/recovery/command\n"); 3004 } 3005 cryptfs_reboot(recovery); 3006 } else { 3007 /* set property to trigger dialog */ 3008 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3009 release_wake_lock(lockid); 3010 } 3011 return -1; 3012 } 3013 3014 /* hrm, the encrypt step claims success, but the reboot failed. 3015 * This should not happen. 3016 * Set the property and return. Hope the framework can deal with it. 3017 */ 3018 property_set("vold.encrypt_progress", "error_reboot_failed"); 3019 release_wake_lock(lockid); 3020 return rc; 3021 3022error_unencrypted: 3023 free(vol_list); 3024 property_set("vold.encrypt_progress", "error_not_encrypted"); 3025 if (lockid[0]) { 3026 release_wake_lock(lockid); 3027 } 3028 return -1; 3029 3030error_shutting_down: 3031 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3032 * but the framework is stopped and not restarted to show the error, so it's up to 3033 * vold to restart the system. 3034 */ 3035 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3036 cryptfs_reboot(reboot); 3037 3038 /* shouldn't get here */ 3039 property_set("vold.encrypt_progress", "error_shutting_down"); 3040 free(vol_list); 3041 if (lockid[0]) { 3042 release_wake_lock(lockid); 3043 } 3044 return -1; 3045} 3046 3047int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 3048{ 3049 return cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 3050} 3051 3052int cryptfs_enable_default(char *howarg, int allow_reboot) 3053{ 3054 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3055 DEFAULT_PASSWORD, allow_reboot); 3056} 3057 3058int cryptfs_changepw(int crypt_type, const char *newpw) 3059{ 3060 struct crypt_mnt_ftr crypt_ftr; 3061 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 3062 3063 /* This is only allowed after we've successfully decrypted the master key */ 3064 if (!master_key_saved) { 3065 SLOGE("Key not saved, aborting"); 3066 return -1; 3067 } 3068 3069 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3070 SLOGE("Invalid crypt_type %d", crypt_type); 3071 return -1; 3072 } 3073 3074 /* get key */ 3075 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3076 SLOGE("Error getting crypt footer and key"); 3077 return -1; 3078 } 3079 3080 crypt_ftr.crypt_type = crypt_type; 3081 3082 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3083 : newpw, 3084 crypt_ftr.salt, 3085 saved_master_key, 3086 crypt_ftr.master_key, 3087 &crypt_ftr); 3088 3089 /* save the key */ 3090 put_crypt_ftr_and_key(&crypt_ftr); 3091 3092 return 0; 3093} 3094 3095static int persist_get_key(char *fieldname, char *value) 3096{ 3097 unsigned int i; 3098 3099 if (persist_data == NULL) { 3100 return -1; 3101 } 3102 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3103 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3104 /* We found it! */ 3105 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3106 return 0; 3107 } 3108 } 3109 3110 return -1; 3111} 3112 3113static int persist_set_key(char *fieldname, char *value, int encrypted) 3114{ 3115 unsigned int i; 3116 unsigned int num; 3117 struct crypt_mnt_ftr crypt_ftr; 3118 unsigned int max_persistent_entries; 3119 unsigned int dsize; 3120 3121 if (persist_data == NULL) { 3122 return -1; 3123 } 3124 3125 /* If encrypted, use the values from the crypt_ftr, otherwise 3126 * use the values for the current spec. 3127 */ 3128 if (encrypted) { 3129 if(get_crypt_ftr_and_key(&crypt_ftr)) { 3130 return -1; 3131 } 3132 dsize = crypt_ftr.persist_data_size; 3133 } else { 3134 dsize = CRYPT_PERSIST_DATA_SIZE; 3135 } 3136 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3137 sizeof(struct crypt_persist_entry); 3138 3139 num = persist_data->persist_valid_entries; 3140 3141 for (i = 0; i < num; i++) { 3142 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3143 /* We found an existing entry, update it! */ 3144 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3145 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3146 return 0; 3147 } 3148 } 3149 3150 /* We didn't find it, add it to the end, if there is room */ 3151 if (persist_data->persist_valid_entries < max_persistent_entries) { 3152 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3153 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3154 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3155 persist_data->persist_valid_entries++; 3156 return 0; 3157 } 3158 3159 return -1; 3160} 3161 3162/* Return the value of the specified field. */ 3163int cryptfs_getfield(char *fieldname, char *value, int len) 3164{ 3165 char temp_value[PROPERTY_VALUE_MAX]; 3166 char real_blkdev[MAXPATHLEN]; 3167 /* 0 is success, 1 is not encrypted, 3168 * -1 is value not set, -2 is any other error 3169 */ 3170 int rc = -2; 3171 3172 if (persist_data == NULL) { 3173 load_persistent_data(); 3174 if (persist_data == NULL) { 3175 SLOGE("Getfield error, cannot load persistent data"); 3176 goto out; 3177 } 3178 } 3179 3180 if (!persist_get_key(fieldname, temp_value)) { 3181 /* We found it, copy it to the caller's buffer and return */ 3182 strlcpy(value, temp_value, len); 3183 rc = 0; 3184 } else { 3185 /* Sadness, it's not there. Return the error */ 3186 rc = -1; 3187 } 3188 3189out: 3190 return rc; 3191} 3192 3193/* Set the value of the specified field. */ 3194int cryptfs_setfield(char *fieldname, char *value) 3195{ 3196 struct crypt_persist_data stored_pdata; 3197 struct crypt_persist_data *pdata_p; 3198 struct crypt_mnt_ftr crypt_ftr; 3199 char encrypted_state[PROPERTY_VALUE_MAX]; 3200 /* 0 is success, -1 is an error */ 3201 int rc = -1; 3202 int encrypted = 0; 3203 3204 if (persist_data == NULL) { 3205 load_persistent_data(); 3206 if (persist_data == NULL) { 3207 SLOGE("Setfield error, cannot load persistent data"); 3208 goto out; 3209 } 3210 } 3211 3212 property_get("ro.crypto.state", encrypted_state, ""); 3213 if (!strcmp(encrypted_state, "encrypted") ) { 3214 encrypted = 1; 3215 } 3216 3217 if (persist_set_key(fieldname, value, encrypted)) { 3218 goto out; 3219 } 3220 3221 /* If we are running encrypted, save the persistent data now */ 3222 if (encrypted) { 3223 if (save_persistent_data()) { 3224 SLOGE("Setfield error, cannot save persistent data"); 3225 goto out; 3226 } 3227 } 3228 3229 rc = 0; 3230 3231out: 3232 return rc; 3233} 3234 3235/* Checks userdata. Attempt to mount the volume if default- 3236 * encrypted. 3237 * On success trigger next init phase and return 0. 3238 * Currently do not handle failure - see TODO below. 3239 */ 3240int cryptfs_mount_default_encrypted(void) 3241{ 3242 char decrypt_state[PROPERTY_VALUE_MAX]; 3243 property_get("vold.decrypt", decrypt_state, "0"); 3244 if (!strcmp(decrypt_state, "0")) { 3245 SLOGE("Not encrypted - should not call here"); 3246 } else { 3247 int crypt_type = cryptfs_get_password_type(); 3248 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3249 SLOGE("Bad crypt type - error"); 3250 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3251 SLOGD("Password is not default - " 3252 "starting min framework to prompt"); 3253 property_set("vold.decrypt", "trigger_restart_min_framework"); 3254 return 0; 3255 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3256 SLOGD("Password is default - restarting filesystem"); 3257 cryptfs_restart_internal(0); 3258 return 0; 3259 } else { 3260 SLOGE("Encrypted, default crypt type but can't decrypt"); 3261 } 3262 } 3263 3264 /** Corrupt. Allow us to boot into framework, which will detect bad 3265 crypto when it calls do_crypto_complete, then do a factory reset 3266 */ 3267 property_set("vold.decrypt", "trigger_restart_min_framework"); 3268 return 0; 3269} 3270 3271/* Returns type of the password, default, pattern, pin or password. 3272 */ 3273int cryptfs_get_password_type(void) 3274{ 3275 struct crypt_mnt_ftr crypt_ftr; 3276 3277 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3278 SLOGE("Error getting crypt footer and key\n"); 3279 return -1; 3280 } 3281 3282 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3283 return -1; 3284 } 3285 3286 return crypt_ftr.crypt_type; 3287} 3288 3289char* cryptfs_get_password() 3290{ 3291 struct timespec now; 3292 clock_gettime(CLOCK_MONOTONIC, &now); 3293 if (now.tv_sec < password_expiry_time) { 3294 return password; 3295 } else { 3296 cryptfs_clear_password(); 3297 return 0; 3298 } 3299} 3300 3301void cryptfs_clear_password() 3302{ 3303 if (password) { 3304 size_t len = strlen(password); 3305 memset(password, 0, len); 3306 free(password); 3307 password = 0; 3308 password_expiry_time = 0; 3309 } 3310} 3311