cryptfs.c revision d1fd8468d018291698de17bacb23fc7ba1d900d8
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <openssl/sha.h> 40#include <errno.h> 41#include <ext4.h> 42#include <linux/kdev_t.h> 43#include <fs_mgr.h> 44#include <time.h> 45#include "cryptfs.h" 46#define LOG_TAG "Cryptfs" 47#include "cutils/log.h" 48#include "cutils/properties.h" 49#include "cutils/android_reboot.h" 50#include "hardware_legacy/power.h" 51#include <logwrap/logwrap.h> 52#include "VolumeManager.h" 53#include "VoldUtil.h" 54#include "crypto_scrypt.h" 55#include "ext4_utils.h" 56#include "f2fs_sparseblock.h" 57#include "CheckBattery.h" 58#include "Process.h" 59 60#include <hardware/keymaster0.h> 61 62#define UNUSED __attribute__((unused)) 63 64#define UNUSED __attribute__((unused)) 65 66#define DM_CRYPT_BUF_SIZE 4096 67 68#define HASH_COUNT 2000 69#define KEY_LEN_BYTES 16 70#define IV_LEN_BYTES 16 71 72#define KEY_IN_FOOTER "footer" 73 74// "default_password" encoded into hex (d=0x64 etc) 75#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264" 76 77#define EXT4_FS 1 78#define F2FS_FS 2 79 80#define TABLE_LOAD_RETRIES 10 81 82#define RSA_KEY_SIZE 2048 83#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 84#define RSA_EXPONENT 0x10001 85 86#define RETRY_MOUNT_ATTEMPTS 10 87#define RETRY_MOUNT_DELAY_SECONDS 1 88 89char *me = "cryptfs"; 90 91static unsigned char saved_master_key[KEY_LEN_BYTES]; 92static char *saved_mount_point; 93static int master_key_saved = 0; 94static struct crypt_persist_data *persist_data = NULL; 95 96static int keymaster_init(keymaster0_device_t **keymaster_dev) 97{ 98 int rc; 99 100 const hw_module_t* mod; 101 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 102 if (rc) { 103 ALOGE("could not find any keystore module"); 104 goto out; 105 } 106 107 rc = keymaster0_open(mod, keymaster_dev); 108 if (rc) { 109 ALOGE("could not open keymaster device in %s (%s)", 110 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 111 goto out; 112 } 113 114 return 0; 115 116out: 117 *keymaster_dev = NULL; 118 return rc; 119} 120 121/* Should we use keymaster? */ 122static int keymaster_check_compatibility() 123{ 124 keymaster0_device_t *keymaster_dev = 0; 125 int rc = 0; 126 127 if (keymaster_init(&keymaster_dev)) { 128 SLOGE("Failed to init keymaster"); 129 rc = -1; 130 goto out; 131 } 132 133 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version); 134 135 if (keymaster_dev->common.module->module_api_version 136 < KEYMASTER_MODULE_API_VERSION_0_3) { 137 rc = 0; 138 goto out; 139 } 140 141 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) { 142 rc = 1; 143 } 144 145out: 146 keymaster0_close(keymaster_dev); 147 return rc; 148} 149 150/* Create a new keymaster key and store it in this footer */ 151static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 152{ 153 uint8_t* key = 0; 154 keymaster0_device_t *keymaster_dev = 0; 155 156 if (keymaster_init(&keymaster_dev)) { 157 SLOGE("Failed to init keymaster"); 158 return -1; 159 } 160 161 int rc = 0; 162 163 keymaster_rsa_keygen_params_t params; 164 memset(¶ms, '\0', sizeof(params)); 165 params.public_exponent = RSA_EXPONENT; 166 params.modulus_size = RSA_KEY_SIZE; 167 168 size_t key_size; 169 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms, 170 &key, &key_size)) { 171 SLOGE("Failed to generate keypair"); 172 rc = -1; 173 goto out; 174 } 175 176 if (key_size > KEYMASTER_BLOB_SIZE) { 177 SLOGE("Keymaster key too large for crypto footer"); 178 rc = -1; 179 goto out; 180 } 181 182 memcpy(ftr->keymaster_blob, key, key_size); 183 ftr->keymaster_blob_size = key_size; 184 185out: 186 keymaster0_close(keymaster_dev); 187 free(key); 188 return rc; 189} 190 191/* This signs the given object using the keymaster key. */ 192static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 193 const unsigned char *object, 194 const size_t object_size, 195 unsigned char **signature, 196 size_t *signature_size) 197{ 198 int rc = 0; 199 keymaster0_device_t *keymaster_dev = 0; 200 if (keymaster_init(&keymaster_dev)) { 201 SLOGE("Failed to init keymaster"); 202 return -1; 203 } 204 205 /* We currently set the digest type to DIGEST_NONE because it's the 206 * only supported value for keymaster. A similar issue exists with 207 * PADDING_NONE. Long term both of these should likely change. 208 */ 209 keymaster_rsa_sign_params_t params; 210 params.digest_type = DIGEST_NONE; 211 params.padding_type = PADDING_NONE; 212 213 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 214 size_t to_sign_size = sizeof(to_sign); 215 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 216 217 // To sign a message with RSA, the message must satisfy two 218 // constraints: 219 // 220 // 1. The message, when interpreted as a big-endian numeric value, must 221 // be strictly less than the public modulus of the RSA key. Note 222 // that because the most significant bit of the public modulus is 223 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 224 // key), an n-bit message with most significant bit 0 always 225 // satisfies this requirement. 226 // 227 // 2. The message must have the same length in bits as the public 228 // modulus of the RSA key. This requirement isn't mathematically 229 // necessary, but is necessary to ensure consistency in 230 // implementations. 231 switch (ftr->kdf_type) { 232 case KDF_SCRYPT_KEYMASTER_UNPADDED: 233 // This is broken: It produces a message which is shorter than 234 // the public modulus, failing criterion 2. 235 memcpy(to_sign, object, object_size); 236 to_sign_size = object_size; 237 SLOGI("Signing unpadded object"); 238 break; 239 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 240 // This is broken: Since the value of object is uniformly 241 // distributed, it produces a message that is larger than the 242 // public modulus with probability 0.25. 243 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size)); 244 SLOGI("Signing end-padded object"); 245 break; 246 case KDF_SCRYPT_KEYMASTER: 247 // This ensures the most significant byte of the signed message 248 // is zero. We could have zero-padded to the left instead, but 249 // this approach is slightly more robust against changes in 250 // object size. However, it's still broken (but not unusably 251 // so) because we really should be using a proper RSA padding 252 // function, such as OAEP. 253 // 254 // TODO(paullawrence): When keymaster 0.4 is available, change 255 // this to use the padding options it provides. 256 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 257 SLOGI("Signing safely-padded object"); 258 break; 259 default: 260 SLOGE("Unknown KDF type %d", ftr->kdf_type); 261 return -1; 262 } 263 264 rc = keymaster_dev->sign_data(keymaster_dev, 265 ¶ms, 266 ftr->keymaster_blob, 267 ftr->keymaster_blob_size, 268 to_sign, 269 to_sign_size, 270 signature, 271 signature_size); 272 273 keymaster0_close(keymaster_dev); 274 return rc; 275} 276 277/* Store password when userdata is successfully decrypted and mounted. 278 * Cleared by cryptfs_clear_password 279 * 280 * To avoid a double prompt at boot, we need to store the CryptKeeper 281 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 282 * Since the entire framework is torn down and rebuilt after encryption, 283 * we have to use a daemon or similar to store the password. Since vold 284 * is secured against IPC except from system processes, it seems a reasonable 285 * place to store this. 286 * 287 * password should be cleared once it has been used. 288 * 289 * password is aged out after password_max_age_seconds seconds. 290 */ 291static char* password = 0; 292static int password_expiry_time = 0; 293static const int password_max_age_seconds = 60; 294 295extern struct fstab *fstab; 296 297enum RebootType {reboot, recovery, shutdown}; 298static void cryptfs_reboot(enum RebootType rt) 299{ 300 switch(rt) { 301 case reboot: 302 property_set(ANDROID_RB_PROPERTY, "reboot"); 303 break; 304 305 case recovery: 306 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 307 break; 308 309 case shutdown: 310 property_set(ANDROID_RB_PROPERTY, "shutdown"); 311 break; 312 } 313 314 sleep(20); 315 316 /* Shouldn't get here, reboot should happen before sleep times out */ 317 return; 318} 319 320static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 321{ 322 memset(io, 0, dataSize); 323 io->data_size = dataSize; 324 io->data_start = sizeof(struct dm_ioctl); 325 io->version[0] = 4; 326 io->version[1] = 0; 327 io->version[2] = 0; 328 io->flags = flags; 329 if (name) { 330 strlcpy(io->name, name, sizeof(io->name)); 331 } 332} 333 334/** 335 * Gets the default device scrypt parameters for key derivation time tuning. 336 * The parameters should lead to about one second derivation time for the 337 * given device. 338 */ 339static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 340 const int default_params[] = SCRYPT_DEFAULTS; 341 int params[] = SCRYPT_DEFAULTS; 342 char paramstr[PROPERTY_VALUE_MAX]; 343 char *token; 344 char *saveptr; 345 int i; 346 347 property_get(SCRYPT_PROP, paramstr, ""); 348 if (paramstr[0] != '\0') { 349 /* 350 * The token we're looking for should be three integers separated by 351 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 352 */ 353 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 354 token != NULL && i < 3; 355 i++, token = strtok_r(NULL, ":", &saveptr)) { 356 char *endptr; 357 params[i] = strtol(token, &endptr, 10); 358 359 /* 360 * Check that there was a valid number and it's 8-bit. If not, 361 * break out and the end check will take the default values. 362 */ 363 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 364 break; 365 } 366 } 367 368 /* 369 * If there were not enough tokens or a token was malformed (not an 370 * integer), it will end up here and the default parameters can be 371 * taken. 372 */ 373 if ((i != 3) || (token != NULL)) { 374 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 375 memcpy(params, default_params, sizeof(params)); 376 } 377 } 378 379 ftr->N_factor = params[0]; 380 ftr->r_factor = params[1]; 381 ftr->p_factor = params[2]; 382} 383 384static unsigned int get_fs_size(char *dev) 385{ 386 int fd, block_size; 387 struct ext4_super_block sb; 388 off64_t len; 389 390 if ((fd = open(dev, O_RDONLY)) < 0) { 391 SLOGE("Cannot open device to get filesystem size "); 392 return 0; 393 } 394 395 if (lseek64(fd, 1024, SEEK_SET) < 0) { 396 SLOGE("Cannot seek to superblock"); 397 return 0; 398 } 399 400 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 401 SLOGE("Cannot read superblock"); 402 return 0; 403 } 404 405 close(fd); 406 407 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 408 SLOGE("Not a valid ext4 superblock"); 409 return 0; 410 } 411 block_size = 1024 << sb.s_log_block_size; 412 /* compute length in bytes */ 413 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 414 415 /* return length in sectors */ 416 return (unsigned int) (len / 512); 417} 418 419static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 420{ 421 static int cached_data = 0; 422 static off64_t cached_off = 0; 423 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 424 int fd; 425 char key_loc[PROPERTY_VALUE_MAX]; 426 char real_blkdev[PROPERTY_VALUE_MAX]; 427 unsigned int nr_sec; 428 int rc = -1; 429 430 if (!cached_data) { 431 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 432 433 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 434 if ( (fd = open(real_blkdev, O_RDWR)) < 0) { 435 SLOGE("Cannot open real block device %s\n", real_blkdev); 436 return -1; 437 } 438 439 if ((nr_sec = get_blkdev_size(fd))) { 440 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 441 * encryption info footer and key, and plenty of bytes to spare for future 442 * growth. 443 */ 444 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 445 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 446 cached_data = 1; 447 } else { 448 SLOGE("Cannot get size of block device %s\n", real_blkdev); 449 } 450 close(fd); 451 } else { 452 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 453 cached_off = 0; 454 cached_data = 1; 455 } 456 } 457 458 if (cached_data) { 459 if (metadata_fname) { 460 *metadata_fname = cached_metadata_fname; 461 } 462 if (off) { 463 *off = cached_off; 464 } 465 rc = 0; 466 } 467 468 return rc; 469} 470 471/* key or salt can be NULL, in which case just skip writing that value. Useful to 472 * update the failed mount count but not change the key. 473 */ 474static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 475{ 476 int fd; 477 unsigned int cnt; 478 /* starting_off is set to the SEEK_SET offset 479 * where the crypto structure starts 480 */ 481 off64_t starting_off; 482 int rc = -1; 483 char *fname = NULL; 484 struct stat statbuf; 485 486 if (get_crypt_ftr_info(&fname, &starting_off)) { 487 SLOGE("Unable to get crypt_ftr_info\n"); 488 return -1; 489 } 490 if (fname[0] != '/') { 491 SLOGE("Unexpected value for crypto key location\n"); 492 return -1; 493 } 494 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) { 495 SLOGE("Cannot open footer file %s for put\n", fname); 496 return -1; 497 } 498 499 /* Seek to the start of the crypt footer */ 500 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 501 SLOGE("Cannot seek to real block device footer\n"); 502 goto errout; 503 } 504 505 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 506 SLOGE("Cannot write real block device footer\n"); 507 goto errout; 508 } 509 510 fstat(fd, &statbuf); 511 /* If the keys are kept on a raw block device, do not try to truncate it. */ 512 if (S_ISREG(statbuf.st_mode)) { 513 if (ftruncate(fd, 0x4000)) { 514 SLOGE("Cannot set footer file size\n"); 515 goto errout; 516 } 517 } 518 519 /* Success! */ 520 rc = 0; 521 522errout: 523 close(fd); 524 return rc; 525 526} 527 528static inline int unix_read(int fd, void* buff, int len) 529{ 530 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 531} 532 533static inline int unix_write(int fd, const void* buff, int len) 534{ 535 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 536} 537 538static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 539{ 540 memset(pdata, 0, len); 541 pdata->persist_magic = PERSIST_DATA_MAGIC; 542 pdata->persist_valid_entries = 0; 543} 544 545/* A routine to update the passed in crypt_ftr to the lastest version. 546 * fd is open read/write on the device that holds the crypto footer and persistent 547 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 548 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 549 */ 550static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 551{ 552 int orig_major = crypt_ftr->major_version; 553 int orig_minor = crypt_ftr->minor_version; 554 555 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 556 struct crypt_persist_data *pdata; 557 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 558 559 SLOGW("upgrading crypto footer to 1.1"); 560 561 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 562 if (pdata == NULL) { 563 SLOGE("Cannot allocate persisent data\n"); 564 return; 565 } 566 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 567 568 /* Need to initialize the persistent data area */ 569 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 570 SLOGE("Cannot seek to persisent data offset\n"); 571 free(pdata); 572 return; 573 } 574 /* Write all zeros to the first copy, making it invalid */ 575 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 576 577 /* Write a valid but empty structure to the second copy */ 578 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 579 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 580 581 /* Update the footer */ 582 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 583 crypt_ftr->persist_data_offset[0] = pdata_offset; 584 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 585 crypt_ftr->minor_version = 1; 586 free(pdata); 587 } 588 589 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 590 SLOGW("upgrading crypto footer to 1.2"); 591 /* But keep the old kdf_type. 592 * It will get updated later to KDF_SCRYPT after the password has been verified. 593 */ 594 crypt_ftr->kdf_type = KDF_PBKDF2; 595 get_device_scrypt_params(crypt_ftr); 596 crypt_ftr->minor_version = 2; 597 } 598 599 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 600 SLOGW("upgrading crypto footer to 1.3"); 601 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 602 crypt_ftr->minor_version = 3; 603 } 604 605 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 606 if (lseek64(fd, offset, SEEK_SET) == -1) { 607 SLOGE("Cannot seek to crypt footer\n"); 608 return; 609 } 610 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 611 } 612} 613 614 615static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 616{ 617 int fd; 618 unsigned int cnt; 619 off64_t starting_off; 620 int rc = -1; 621 char *fname = NULL; 622 struct stat statbuf; 623 624 if (get_crypt_ftr_info(&fname, &starting_off)) { 625 SLOGE("Unable to get crypt_ftr_info\n"); 626 return -1; 627 } 628 if (fname[0] != '/') { 629 SLOGE("Unexpected value for crypto key location\n"); 630 return -1; 631 } 632 if ( (fd = open(fname, O_RDWR)) < 0) { 633 SLOGE("Cannot open footer file %s for get\n", fname); 634 return -1; 635 } 636 637 /* Make sure it's 16 Kbytes in length */ 638 fstat(fd, &statbuf); 639 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 640 SLOGE("footer file %s is not the expected size!\n", fname); 641 goto errout; 642 } 643 644 /* Seek to the start of the crypt footer */ 645 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 646 SLOGE("Cannot seek to real block device footer\n"); 647 goto errout; 648 } 649 650 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 651 SLOGE("Cannot read real block device footer\n"); 652 goto errout; 653 } 654 655 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 656 SLOGE("Bad magic for real block device %s\n", fname); 657 goto errout; 658 } 659 660 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 661 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 662 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 663 goto errout; 664 } 665 666 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 667 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 668 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 669 } 670 671 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 672 * copy on disk before returning. 673 */ 674 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 675 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 676 } 677 678 /* Success! */ 679 rc = 0; 680 681errout: 682 close(fd); 683 return rc; 684} 685 686static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 687{ 688 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 689 crypt_ftr->persist_data_offset[1]) { 690 SLOGE("Crypt_ftr persist data regions overlap"); 691 return -1; 692 } 693 694 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 695 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 696 return -1; 697 } 698 699 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 700 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 701 CRYPT_FOOTER_OFFSET) { 702 SLOGE("Persistent data extends past crypto footer"); 703 return -1; 704 } 705 706 return 0; 707} 708 709static int load_persistent_data(void) 710{ 711 struct crypt_mnt_ftr crypt_ftr; 712 struct crypt_persist_data *pdata = NULL; 713 char encrypted_state[PROPERTY_VALUE_MAX]; 714 char *fname; 715 int found = 0; 716 int fd; 717 int ret; 718 int i; 719 720 if (persist_data) { 721 /* Nothing to do, we've already loaded or initialized it */ 722 return 0; 723 } 724 725 726 /* If not encrypted, just allocate an empty table and initialize it */ 727 property_get("ro.crypto.state", encrypted_state, ""); 728 if (strcmp(encrypted_state, "encrypted") ) { 729 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 730 if (pdata) { 731 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 732 persist_data = pdata; 733 return 0; 734 } 735 return -1; 736 } 737 738 if(get_crypt_ftr_and_key(&crypt_ftr)) { 739 return -1; 740 } 741 742 if ((crypt_ftr.major_version < 1) 743 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 744 SLOGE("Crypt_ftr version doesn't support persistent data"); 745 return -1; 746 } 747 748 if (get_crypt_ftr_info(&fname, NULL)) { 749 return -1; 750 } 751 752 ret = validate_persistent_data_storage(&crypt_ftr); 753 if (ret) { 754 return -1; 755 } 756 757 fd = open(fname, O_RDONLY); 758 if (fd < 0) { 759 SLOGE("Cannot open %s metadata file", fname); 760 return -1; 761 } 762 763 if (persist_data == NULL) { 764 pdata = malloc(crypt_ftr.persist_data_size); 765 if (pdata == NULL) { 766 SLOGE("Cannot allocate memory for persistent data"); 767 goto err; 768 } 769 } 770 771 for (i = 0; i < 2; i++) { 772 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 773 SLOGE("Cannot seek to read persistent data on %s", fname); 774 goto err2; 775 } 776 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 777 SLOGE("Error reading persistent data on iteration %d", i); 778 goto err2; 779 } 780 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 781 found = 1; 782 break; 783 } 784 } 785 786 if (!found) { 787 SLOGI("Could not find valid persistent data, creating"); 788 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 789 } 790 791 /* Success */ 792 persist_data = pdata; 793 close(fd); 794 return 0; 795 796err2: 797 free(pdata); 798 799err: 800 close(fd); 801 return -1; 802} 803 804static int save_persistent_data(void) 805{ 806 struct crypt_mnt_ftr crypt_ftr; 807 struct crypt_persist_data *pdata; 808 char *fname; 809 off64_t write_offset; 810 off64_t erase_offset; 811 int fd; 812 int ret; 813 814 if (persist_data == NULL) { 815 SLOGE("No persistent data to save"); 816 return -1; 817 } 818 819 if(get_crypt_ftr_and_key(&crypt_ftr)) { 820 return -1; 821 } 822 823 if ((crypt_ftr.major_version < 1) 824 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 825 SLOGE("Crypt_ftr version doesn't support persistent data"); 826 return -1; 827 } 828 829 ret = validate_persistent_data_storage(&crypt_ftr); 830 if (ret) { 831 return -1; 832 } 833 834 if (get_crypt_ftr_info(&fname, NULL)) { 835 return -1; 836 } 837 838 fd = open(fname, O_RDWR); 839 if (fd < 0) { 840 SLOGE("Cannot open %s metadata file", fname); 841 return -1; 842 } 843 844 pdata = malloc(crypt_ftr.persist_data_size); 845 if (pdata == NULL) { 846 SLOGE("Cannot allocate persistant data"); 847 goto err; 848 } 849 850 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 851 SLOGE("Cannot seek to read persistent data on %s", fname); 852 goto err2; 853 } 854 855 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 856 SLOGE("Error reading persistent data before save"); 857 goto err2; 858 } 859 860 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 861 /* The first copy is the curent valid copy, so write to 862 * the second copy and erase this one */ 863 write_offset = crypt_ftr.persist_data_offset[1]; 864 erase_offset = crypt_ftr.persist_data_offset[0]; 865 } else { 866 /* The second copy must be the valid copy, so write to 867 * the first copy, and erase the second */ 868 write_offset = crypt_ftr.persist_data_offset[0]; 869 erase_offset = crypt_ftr.persist_data_offset[1]; 870 } 871 872 /* Write the new copy first, if successful, then erase the old copy */ 873 if (lseek64(fd, write_offset, SEEK_SET) < 0) { 874 SLOGE("Cannot seek to write persistent data"); 875 goto err2; 876 } 877 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 878 (int) crypt_ftr.persist_data_size) { 879 if (lseek64(fd, erase_offset, SEEK_SET) < 0) { 880 SLOGE("Cannot seek to erase previous persistent data"); 881 goto err2; 882 } 883 fsync(fd); 884 memset(pdata, 0, crypt_ftr.persist_data_size); 885 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 886 (int) crypt_ftr.persist_data_size) { 887 SLOGE("Cannot write to erase previous persistent data"); 888 goto err2; 889 } 890 fsync(fd); 891 } else { 892 SLOGE("Cannot write to save persistent data"); 893 goto err2; 894 } 895 896 /* Success */ 897 free(pdata); 898 close(fd); 899 return 0; 900 901err2: 902 free(pdata); 903err: 904 close(fd); 905 return -1; 906} 907 908static int hexdigit (char c) 909{ 910 if (c >= '0' && c <= '9') return c - '0'; 911 c = tolower(c); 912 if (c >= 'a' && c <= 'f') return c - 'a' + 10; 913 return -1; 914} 915 916static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii, 917 unsigned int* out_keysize) 918{ 919 unsigned int i; 920 *out_keysize = 0; 921 922 size_t size = strlen (master_key_ascii); 923 if (size % 2) { 924 SLOGE("Trying to convert ascii string of odd length"); 925 return NULL; 926 } 927 928 unsigned char* master_key = (unsigned char*) malloc(size / 2); 929 if (master_key == 0) { 930 SLOGE("Cannot allocate"); 931 return NULL; 932 } 933 934 for (i = 0; i < size; i += 2) { 935 int high_nibble = hexdigit (master_key_ascii[i]); 936 int low_nibble = hexdigit (master_key_ascii[i + 1]); 937 938 if(high_nibble < 0 || low_nibble < 0) { 939 SLOGE("Invalid hex string"); 940 free (master_key); 941 return NULL; 942 } 943 944 master_key[*out_keysize] = high_nibble * 16 + low_nibble; 945 (*out_keysize)++; 946 } 947 948 return master_key; 949} 950 951/* Convert a binary key of specified length into an ascii hex string equivalent, 952 * without the leading 0x and with null termination 953 */ 954static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize, 955 char *master_key_ascii) 956{ 957 unsigned int i, a; 958 unsigned char nibble; 959 960 for (i=0, a=0; i<keysize; i++, a+=2) { 961 /* For each byte, write out two ascii hex digits */ 962 nibble = (master_key[i] >> 4) & 0xf; 963 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 964 965 nibble = master_key[i] & 0xf; 966 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 967 } 968 969 /* Add the null termination */ 970 master_key_ascii[a] = '\0'; 971 972} 973 974static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 975 char *real_blk_name, const char *name, int fd, 976 char *extra_params) 977{ 978 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE]; 979 struct dm_ioctl *io; 980 struct dm_target_spec *tgt; 981 char *crypt_params; 982 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 983 int i; 984 985 io = (struct dm_ioctl *) buffer; 986 987 /* Load the mapping table for this device */ 988 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 989 990 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 991 io->target_count = 1; 992 tgt->status = 0; 993 tgt->sector_start = 0; 994 tgt->length = crypt_ftr->fs_size; 995 strcpy(tgt->target_type, "crypt"); 996 997 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 998 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 999 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 1000 master_key_ascii, real_blk_name, extra_params); 1001 crypt_params += strlen(crypt_params) + 1; 1002 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 1003 tgt->next = crypt_params - buffer; 1004 1005 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1006 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1007 break; 1008 } 1009 usleep(500000); 1010 } 1011 1012 if (i == TABLE_LOAD_RETRIES) { 1013 /* We failed to load the table, return an error */ 1014 return -1; 1015 } else { 1016 return i + 1; 1017 } 1018} 1019 1020 1021static int get_dm_crypt_version(int fd, const char *name, int *version) 1022{ 1023 char buffer[DM_CRYPT_BUF_SIZE]; 1024 struct dm_ioctl *io; 1025 struct dm_target_versions *v; 1026 1027 io = (struct dm_ioctl *) buffer; 1028 1029 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1030 1031 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1032 return -1; 1033 } 1034 1035 /* Iterate over the returned versions, looking for name of "crypt". 1036 * When found, get and return the version. 1037 */ 1038 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1039 while (v->next) { 1040 if (! strcmp(v->name, "crypt")) { 1041 /* We found the crypt driver, return the version, and get out */ 1042 version[0] = v->version[0]; 1043 version[1] = v->version[1]; 1044 version[2] = v->version[2]; 1045 return 0; 1046 } 1047 v = (struct dm_target_versions *)(((char *)v) + v->next); 1048 } 1049 1050 return -1; 1051} 1052 1053static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 1054 char *real_blk_name, char *crypto_blk_name, const char *name) 1055{ 1056 char buffer[DM_CRYPT_BUF_SIZE]; 1057 struct dm_ioctl *io; 1058 unsigned int minor; 1059 int fd; 1060 int retval = -1; 1061 int version[3]; 1062 char *extra_params; 1063 int load_count; 1064 1065 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1066 SLOGE("Cannot open device-mapper\n"); 1067 goto errout; 1068 } 1069 1070 io = (struct dm_ioctl *) buffer; 1071 1072 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1073 if (ioctl(fd, DM_DEV_CREATE, io)) { 1074 SLOGE("Cannot create dm-crypt device\n"); 1075 goto errout; 1076 } 1077 1078 /* Get the device status, in particular, the name of it's device file */ 1079 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1080 if (ioctl(fd, DM_DEV_STATUS, io)) { 1081 SLOGE("Cannot retrieve dm-crypt device status\n"); 1082 goto errout; 1083 } 1084 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1085 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1086 1087 extra_params = ""; 1088 if (! get_dm_crypt_version(fd, name, version)) { 1089 /* Support for allow_discards was added in version 1.11.0 */ 1090 if ((version[0] >= 2) || 1091 ((version[0] == 1) && (version[1] >= 11))) { 1092 extra_params = "1 allow_discards"; 1093 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1094 } 1095 } 1096 1097 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1098 fd, extra_params); 1099 if (load_count < 0) { 1100 SLOGE("Cannot load dm-crypt mapping table.\n"); 1101 goto errout; 1102 } else if (load_count > 1) { 1103 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1104 } 1105 1106 /* Resume this device to activate it */ 1107 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1108 1109 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1110 SLOGE("Cannot resume the dm-crypt device\n"); 1111 goto errout; 1112 } 1113 1114 /* We made it here with no errors. Woot! */ 1115 retval = 0; 1116 1117errout: 1118 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1119 1120 return retval; 1121} 1122 1123static int delete_crypto_blk_dev(char *name) 1124{ 1125 int fd; 1126 char buffer[DM_CRYPT_BUF_SIZE]; 1127 struct dm_ioctl *io; 1128 int retval = -1; 1129 1130 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1131 SLOGE("Cannot open device-mapper\n"); 1132 goto errout; 1133 } 1134 1135 io = (struct dm_ioctl *) buffer; 1136 1137 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1138 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1139 SLOGE("Cannot remove dm-crypt device\n"); 1140 goto errout; 1141 } 1142 1143 /* We made it here with no errors. Woot! */ 1144 retval = 0; 1145 1146errout: 1147 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1148 1149 return retval; 1150 1151} 1152 1153static int pbkdf2(const char *passwd, const unsigned char *salt, 1154 unsigned char *ikey, void *params UNUSED) 1155{ 1156 SLOGI("Using pbkdf2 for cryptfs KDF"); 1157 1158 /* Turn the password into a key and IV that can decrypt the master key */ 1159 unsigned int keysize; 1160 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize); 1161 if (!master_key) return -1; 1162 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN, 1163 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1164 1165 memset(master_key, 0, keysize); 1166 free (master_key); 1167 return 0; 1168} 1169 1170static int scrypt(const char *passwd, const unsigned char *salt, 1171 unsigned char *ikey, void *params) 1172{ 1173 SLOGI("Using scrypt for cryptfs KDF"); 1174 1175 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1176 1177 int N = 1 << ftr->N_factor; 1178 int r = 1 << ftr->r_factor; 1179 int p = 1 << ftr->p_factor; 1180 1181 /* Turn the password into a key and IV that can decrypt the master key */ 1182 unsigned int keysize; 1183 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize); 1184 if (!master_key) return -1; 1185 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey, 1186 KEY_LEN_BYTES + IV_LEN_BYTES); 1187 1188 memset(master_key, 0, keysize); 1189 free (master_key); 1190 return 0; 1191} 1192 1193static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1194 unsigned char *ikey, void *params) 1195{ 1196 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1197 1198 int rc; 1199 unsigned int key_size; 1200 size_t signature_size; 1201 unsigned char* signature; 1202 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1203 1204 int N = 1 << ftr->N_factor; 1205 int r = 1 << ftr->r_factor; 1206 int p = 1 << ftr->p_factor; 1207 1208 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size); 1209 if (!master_key) { 1210 SLOGE("Failed to convert passwd from hex"); 1211 return -1; 1212 } 1213 1214 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN, 1215 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1216 memset(master_key, 0, key_size); 1217 free(master_key); 1218 1219 if (rc) { 1220 SLOGE("scrypt failed"); 1221 return -1; 1222 } 1223 1224 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1225 &signature, &signature_size)) { 1226 SLOGE("Signing failed"); 1227 return -1; 1228 } 1229 1230 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1231 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1232 free(signature); 1233 1234 if (rc) { 1235 SLOGE("scrypt failed"); 1236 return -1; 1237 } 1238 1239 return 0; 1240} 1241 1242static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1243 const unsigned char *decrypted_master_key, 1244 unsigned char *encrypted_master_key, 1245 struct crypt_mnt_ftr *crypt_ftr) 1246{ 1247 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1248 EVP_CIPHER_CTX e_ctx; 1249 int encrypted_len, final_len; 1250 int rc = 0; 1251 1252 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1253 get_device_scrypt_params(crypt_ftr); 1254 1255 switch (crypt_ftr->kdf_type) { 1256 case KDF_SCRYPT_KEYMASTER_UNPADDED: 1257 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 1258 case KDF_SCRYPT_KEYMASTER: 1259 if (keymaster_create_key(crypt_ftr)) { 1260 SLOGE("keymaster_create_key failed"); 1261 return -1; 1262 } 1263 1264 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1265 SLOGE("scrypt failed"); 1266 return -1; 1267 } 1268 break; 1269 1270 case KDF_SCRYPT: 1271 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1272 SLOGE("scrypt failed"); 1273 return -1; 1274 } 1275 break; 1276 1277 default: 1278 SLOGE("Invalid kdf_type"); 1279 return -1; 1280 } 1281 1282 /* Initialize the decryption engine */ 1283 EVP_CIPHER_CTX_init(&e_ctx); 1284 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1285 SLOGE("EVP_EncryptInit failed\n"); 1286 return -1; 1287 } 1288 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1289 1290 /* Encrypt the master key */ 1291 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1292 decrypted_master_key, KEY_LEN_BYTES)) { 1293 SLOGE("EVP_EncryptUpdate failed\n"); 1294 return -1; 1295 } 1296 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1297 SLOGE("EVP_EncryptFinal failed\n"); 1298 return -1; 1299 } 1300 1301 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1302 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1303 return -1; 1304 } 1305 1306 /* Store the scrypt of the intermediate key, so we can validate if it's a 1307 password error or mount error when things go wrong. 1308 Note there's no need to check for errors, since if this is incorrect, we 1309 simply won't wipe userdata, which is the correct default behavior 1310 */ 1311 int N = 1 << crypt_ftr->N_factor; 1312 int r = 1 << crypt_ftr->r_factor; 1313 int p = 1 << crypt_ftr->p_factor; 1314 1315 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1316 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1317 crypt_ftr->scrypted_intermediate_key, 1318 sizeof(crypt_ftr->scrypted_intermediate_key)); 1319 1320 if (rc) { 1321 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1322 } 1323 1324 return 0; 1325} 1326 1327static int decrypt_master_key_aux(char *passwd, unsigned char *salt, 1328 unsigned char *encrypted_master_key, 1329 unsigned char *decrypted_master_key, 1330 kdf_func kdf, void *kdf_params, 1331 unsigned char** intermediate_key, 1332 size_t* intermediate_key_size) 1333{ 1334 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1335 EVP_CIPHER_CTX d_ctx; 1336 int decrypted_len, final_len; 1337 1338 /* Turn the password into an intermediate key and IV that can decrypt the 1339 master key */ 1340 if (kdf(passwd, salt, ikey, kdf_params)) { 1341 SLOGE("kdf failed"); 1342 return -1; 1343 } 1344 1345 /* Initialize the decryption engine */ 1346 EVP_CIPHER_CTX_init(&d_ctx); 1347 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1348 return -1; 1349 } 1350 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1351 /* Decrypt the master key */ 1352 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1353 encrypted_master_key, KEY_LEN_BYTES)) { 1354 return -1; 1355 } 1356 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1357 return -1; 1358 } 1359 1360 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1361 return -1; 1362 } 1363 1364 /* Copy intermediate key if needed by params */ 1365 if (intermediate_key && intermediate_key_size) { 1366 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1367 if (intermediate_key) { 1368 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1369 *intermediate_key_size = KEY_LEN_BYTES; 1370 } 1371 } 1372 1373 return 0; 1374} 1375 1376static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1377{ 1378 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED || 1379 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED || 1380 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1381 *kdf = scrypt_keymaster; 1382 *kdf_params = ftr; 1383 } else if (ftr->kdf_type == KDF_SCRYPT) { 1384 *kdf = scrypt; 1385 *kdf_params = ftr; 1386 } else { 1387 *kdf = pbkdf2; 1388 *kdf_params = NULL; 1389 } 1390} 1391 1392static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key, 1393 struct crypt_mnt_ftr *crypt_ftr, 1394 unsigned char** intermediate_key, 1395 size_t* intermediate_key_size) 1396{ 1397 kdf_func kdf; 1398 void *kdf_params; 1399 int ret; 1400 1401 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1402 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1403 decrypted_master_key, kdf, kdf_params, 1404 intermediate_key, intermediate_key_size); 1405 if (ret != 0) { 1406 SLOGW("failure decrypting master key"); 1407 } 1408 1409 return ret; 1410} 1411 1412static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1413 struct crypt_mnt_ftr *crypt_ftr) { 1414 int fd; 1415 unsigned char key_buf[KEY_LEN_BYTES]; 1416 1417 /* Get some random bits for a key */ 1418 fd = open("/dev/urandom", O_RDONLY); 1419 read(fd, key_buf, sizeof(key_buf)); 1420 read(fd, salt, SALT_LEN); 1421 close(fd); 1422 1423 /* Now encrypt it with the password */ 1424 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1425} 1426 1427static int wait_and_unmount(char *mountpoint, bool kill) 1428{ 1429 int i, err, rc; 1430#define WAIT_UNMOUNT_COUNT 20 1431 1432 /* Now umount the tmpfs filesystem */ 1433 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1434 if (umount(mountpoint) == 0) { 1435 break; 1436 } 1437 1438 if (errno == EINVAL) { 1439 /* EINVAL is returned if the directory is not a mountpoint, 1440 * i.e. there is no filesystem mounted there. So just get out. 1441 */ 1442 break; 1443 } 1444 1445 err = errno; 1446 1447 /* If allowed, be increasingly aggressive before the last two retries */ 1448 if (kill) { 1449 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1450 SLOGW("sending SIGHUP to processes with open files\n"); 1451 vold_killProcessesWithOpenFiles(mountpoint, 1); 1452 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1453 SLOGW("sending SIGKILL to processes with open files\n"); 1454 vold_killProcessesWithOpenFiles(mountpoint, 2); 1455 } 1456 } 1457 1458 sleep(1); 1459 } 1460 1461 if (i < WAIT_UNMOUNT_COUNT) { 1462 SLOGD("unmounting %s succeeded\n", mountpoint); 1463 rc = 0; 1464 } else { 1465 vold_killProcessesWithOpenFiles(mountpoint, 0); 1466 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1467 rc = -1; 1468 } 1469 1470 return rc; 1471} 1472 1473#define DATA_PREP_TIMEOUT 200 1474static int prep_data_fs(void) 1475{ 1476 int i; 1477 1478 /* Do the prep of the /data filesystem */ 1479 property_set("vold.post_fs_data_done", "0"); 1480 property_set("vold.decrypt", "trigger_post_fs_data"); 1481 SLOGD("Just triggered post_fs_data\n"); 1482 1483 /* Wait a max of 50 seconds, hopefully it takes much less */ 1484 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1485 char p[PROPERTY_VALUE_MAX]; 1486 1487 property_get("vold.post_fs_data_done", p, "0"); 1488 if (*p == '1') { 1489 break; 1490 } else { 1491 usleep(250000); 1492 } 1493 } 1494 if (i == DATA_PREP_TIMEOUT) { 1495 /* Ugh, we failed to prep /data in time. Bail. */ 1496 SLOGE("post_fs_data timed out!\n"); 1497 return -1; 1498 } else { 1499 SLOGD("post_fs_data done\n"); 1500 return 0; 1501 } 1502} 1503 1504static void cryptfs_set_corrupt() 1505{ 1506 // Mark the footer as bad 1507 struct crypt_mnt_ftr crypt_ftr; 1508 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1509 SLOGE("Failed to get crypto footer - panic"); 1510 return; 1511 } 1512 1513 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1514 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1515 SLOGE("Failed to set crypto footer - panic"); 1516 return; 1517 } 1518} 1519 1520static void cryptfs_trigger_restart_min_framework() 1521{ 1522 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1523 SLOGE("Failed to mount tmpfs on data - panic"); 1524 return; 1525 } 1526 1527 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1528 SLOGE("Failed to trigger post fs data - panic"); 1529 return; 1530 } 1531 1532 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1533 SLOGE("Failed to trigger restart min framework - panic"); 1534 return; 1535 } 1536} 1537 1538/* returns < 0 on failure */ 1539static int cryptfs_restart_internal(int restart_main) 1540{ 1541 char crypto_blkdev[MAXPATHLEN]; 1542 int rc = -1; 1543 static int restart_successful = 0; 1544 1545 /* Validate that it's OK to call this routine */ 1546 if (! master_key_saved) { 1547 SLOGE("Encrypted filesystem not validated, aborting"); 1548 return -1; 1549 } 1550 1551 if (restart_successful) { 1552 SLOGE("System already restarted with encrypted disk, aborting"); 1553 return -1; 1554 } 1555 1556 if (restart_main) { 1557 /* Here is where we shut down the framework. The init scripts 1558 * start all services in one of three classes: core, main or late_start. 1559 * On boot, we start core and main. Now, we stop main, but not core, 1560 * as core includes vold and a few other really important things that 1561 * we need to keep running. Once main has stopped, we should be able 1562 * to umount the tmpfs /data, then mount the encrypted /data. 1563 * We then restart the class main, and also the class late_start. 1564 * At the moment, I've only put a few things in late_start that I know 1565 * are not needed to bring up the framework, and that also cause problems 1566 * with unmounting the tmpfs /data, but I hope to add add more services 1567 * to the late_start class as we optimize this to decrease the delay 1568 * till the user is asked for the password to the filesystem. 1569 */ 1570 1571 /* The init files are setup to stop the class main when vold.decrypt is 1572 * set to trigger_reset_main. 1573 */ 1574 property_set("vold.decrypt", "trigger_reset_main"); 1575 SLOGD("Just asked init to shut down class main\n"); 1576 1577 /* Ugh, shutting down the framework is not synchronous, so until it 1578 * can be fixed, this horrible hack will wait a moment for it all to 1579 * shut down before proceeding. Without it, some devices cannot 1580 * restart the graphics services. 1581 */ 1582 sleep(2); 1583 } 1584 1585 /* Now that the framework is shutdown, we should be able to umount() 1586 * the tmpfs filesystem, and mount the real one. 1587 */ 1588 1589 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1590 if (strlen(crypto_blkdev) == 0) { 1591 SLOGE("fs_crypto_blkdev not set\n"); 1592 return -1; 1593 } 1594 1595 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1596 /* If ro.crypto.readonly is set to 1, mount the decrypted 1597 * filesystem readonly. This is used when /data is mounted by 1598 * recovery mode. 1599 */ 1600 char ro_prop[PROPERTY_VALUE_MAX]; 1601 property_get("ro.crypto.readonly", ro_prop, ""); 1602 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1603 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1604 rec->flags |= MS_RDONLY; 1605 } 1606 1607 /* If that succeeded, then mount the decrypted filesystem */ 1608 int retries = RETRY_MOUNT_ATTEMPTS; 1609 int mount_rc; 1610 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1611 crypto_blkdev, 0)) 1612 != 0) { 1613 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1614 /* TODO: invoke something similar to 1615 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1616 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1617 SLOGI("Failed to mount %s because it is busy - waiting", 1618 crypto_blkdev); 1619 if (--retries) { 1620 sleep(RETRY_MOUNT_DELAY_SECONDS); 1621 } else { 1622 /* Let's hope that a reboot clears away whatever is keeping 1623 the mount busy */ 1624 cryptfs_reboot(reboot); 1625 } 1626 } else { 1627 SLOGE("Failed to mount decrypted data"); 1628 cryptfs_set_corrupt(); 1629 cryptfs_trigger_restart_min_framework(); 1630 SLOGI("Started framework to offer wipe"); 1631 return -1; 1632 } 1633 } 1634 1635 property_set("vold.decrypt", "trigger_load_persist_props"); 1636 /* Create necessary paths on /data */ 1637 if (prep_data_fs()) { 1638 return -1; 1639 } 1640 1641 /* startup service classes main and late_start */ 1642 property_set("vold.decrypt", "trigger_restart_framework"); 1643 SLOGD("Just triggered restart_framework\n"); 1644 1645 /* Give it a few moments to get started */ 1646 sleep(1); 1647 } 1648 1649 if (rc == 0) { 1650 restart_successful = 1; 1651 } 1652 1653 return rc; 1654} 1655 1656int cryptfs_restart(void) 1657{ 1658 /* Call internal implementation forcing a restart of main service group */ 1659 return cryptfs_restart_internal(1); 1660} 1661 1662static int do_crypto_complete(char *mount_point UNUSED) 1663{ 1664 struct crypt_mnt_ftr crypt_ftr; 1665 char encrypted_state[PROPERTY_VALUE_MAX]; 1666 char key_loc[PROPERTY_VALUE_MAX]; 1667 1668 property_get("ro.crypto.state", encrypted_state, ""); 1669 if (strcmp(encrypted_state, "encrypted") ) { 1670 SLOGE("not running with encryption, aborting"); 1671 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1672 } 1673 1674 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1675 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1676 1677 /* 1678 * Only report this error if key_loc is a file and it exists. 1679 * If the device was never encrypted, and /data is not mountable for 1680 * some reason, returning 1 should prevent the UI from presenting the 1681 * a "enter password" screen, or worse, a "press button to wipe the 1682 * device" screen. 1683 */ 1684 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1685 SLOGE("master key file does not exist, aborting"); 1686 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1687 } else { 1688 SLOGE("Error getting crypt footer and key\n"); 1689 return CRYPTO_COMPLETE_BAD_METADATA; 1690 } 1691 } 1692 1693 // Test for possible error flags 1694 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1695 SLOGE("Encryption process is partway completed\n"); 1696 return CRYPTO_COMPLETE_PARTIAL; 1697 } 1698 1699 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1700 SLOGE("Encryption process was interrupted but cannot continue\n"); 1701 return CRYPTO_COMPLETE_INCONSISTENT; 1702 } 1703 1704 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1705 SLOGE("Encryption is successful but data is corrupt\n"); 1706 return CRYPTO_COMPLETE_CORRUPT; 1707 } 1708 1709 /* We passed the test! We shall diminish, and return to the west */ 1710 return CRYPTO_COMPLETE_ENCRYPTED; 1711} 1712 1713static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1714 char *passwd, char *mount_point, char *label) 1715{ 1716 /* Allocate enough space for a 256 bit key, but we may use less */ 1717 unsigned char decrypted_master_key[32]; 1718 char crypto_blkdev[MAXPATHLEN]; 1719 char real_blkdev[MAXPATHLEN]; 1720 char tmp_mount_point[64]; 1721 unsigned int orig_failed_decrypt_count; 1722 int rc; 1723 int use_keymaster = 0; 1724 int upgrade = 0; 1725 unsigned char* intermediate_key = 0; 1726 size_t intermediate_key_size = 0; 1727 1728 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1729 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1730 1731 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1732 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1733 &intermediate_key, &intermediate_key_size)) { 1734 SLOGE("Failed to decrypt master key\n"); 1735 rc = -1; 1736 goto errout; 1737 } 1738 } 1739 1740 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1741 1742 // Create crypto block device - all (non fatal) code paths 1743 // need it 1744 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1745 real_blkdev, crypto_blkdev, label)) { 1746 SLOGE("Error creating decrypted block device\n"); 1747 rc = -1; 1748 goto errout; 1749 } 1750 1751 /* Work out if the problem is the password or the data */ 1752 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1753 scrypted_intermediate_key)]; 1754 int N = 1 << crypt_ftr->N_factor; 1755 int r = 1 << crypt_ftr->r_factor; 1756 int p = 1 << crypt_ftr->p_factor; 1757 1758 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1759 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1760 N, r, p, scrypted_intermediate_key, 1761 sizeof(scrypted_intermediate_key)); 1762 1763 // Does the key match the crypto footer? 1764 if (rc == 0 && memcmp(scrypted_intermediate_key, 1765 crypt_ftr->scrypted_intermediate_key, 1766 sizeof(scrypted_intermediate_key)) == 0) { 1767 SLOGI("Password matches"); 1768 rc = 0; 1769 } else { 1770 /* Try mounting the file system anyway, just in case the problem's with 1771 * the footer, not the key. */ 1772 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1773 mkdir(tmp_mount_point, 0755); 1774 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1775 SLOGE("Error temp mounting decrypted block device\n"); 1776 delete_crypto_blk_dev(label); 1777 1778 rc = ++crypt_ftr->failed_decrypt_count; 1779 put_crypt_ftr_and_key(crypt_ftr); 1780 } else { 1781 /* Success! */ 1782 SLOGI("Password did not match but decrypted drive mounted - continue"); 1783 umount(tmp_mount_point); 1784 rc = 0; 1785 } 1786 } 1787 1788 if (rc == 0) { 1789 crypt_ftr->failed_decrypt_count = 0; 1790 if (orig_failed_decrypt_count != 0) { 1791 put_crypt_ftr_and_key(crypt_ftr); 1792 } 1793 1794 /* Save the name of the crypto block device 1795 * so we can mount it when restarting the framework. */ 1796 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1797 1798 /* Also save a the master key so we can reencrypted the key 1799 * the key when we want to change the password on it. */ 1800 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1801 saved_mount_point = strdup(mount_point); 1802 master_key_saved = 1; 1803 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1804 rc = 0; 1805 1806 // Upgrade if we're not using the latest KDF. 1807 use_keymaster = keymaster_check_compatibility(); 1808 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1809 // Don't allow downgrade 1810 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1811 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1812 upgrade = 1; 1813 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1814 crypt_ftr->kdf_type = KDF_SCRYPT; 1815 upgrade = 1; 1816 } 1817 1818 if (upgrade) { 1819 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1820 crypt_ftr->master_key, crypt_ftr); 1821 if (!rc) { 1822 rc = put_crypt_ftr_and_key(crypt_ftr); 1823 } 1824 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1825 1826 // Do not fail even if upgrade failed - machine is bootable 1827 // Note that if this code is ever hit, there is a *serious* problem 1828 // since KDFs should never fail. You *must* fix the kdf before 1829 // proceeding! 1830 if (rc) { 1831 SLOGW("Upgrade failed with error %d," 1832 " but continuing with previous state", 1833 rc); 1834 rc = 0; 1835 } 1836 } 1837 } 1838 1839 errout: 1840 if (intermediate_key) { 1841 memset(intermediate_key, 0, intermediate_key_size); 1842 free(intermediate_key); 1843 } 1844 return rc; 1845} 1846 1847/* Called by vold when it wants to undo the crypto mapping of a volume it 1848 * manages. This is usually in response to a factory reset, when we want 1849 * to undo the crypto mapping so the volume is formatted in the clear. 1850 */ 1851int cryptfs_revert_volume(const char *label) 1852{ 1853 return delete_crypto_blk_dev((char *)label); 1854} 1855 1856/* 1857 * Called by vold when it's asked to mount an encrypted, nonremovable volume. 1858 * Setup a dm-crypt mapping, use the saved master key from 1859 * setting up the /data mapping, and return the new device path. 1860 */ 1861int cryptfs_setup_volume(const char *label, int major, int minor, 1862 char *crypto_sys_path, unsigned int max_path, 1863 int *new_major, int *new_minor) 1864{ 1865 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN]; 1866 struct crypt_mnt_ftr sd_crypt_ftr; 1867 struct stat statbuf; 1868 unsigned int nr_sec; 1869 int fd; 1870 1871 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor); 1872 1873 get_crypt_ftr_and_key(&sd_crypt_ftr); 1874 1875 /* Update the fs_size field to be the size of the volume */ 1876 fd = open(real_blkdev, O_RDONLY); 1877 nr_sec = get_blkdev_size(fd); 1878 close(fd); 1879 if (nr_sec == 0) { 1880 SLOGE("Cannot get size of volume %s\n", real_blkdev); 1881 return -1; 1882 } 1883 1884 sd_crypt_ftr.fs_size = nr_sec; 1885 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev, 1886 crypto_blkdev, label); 1887 1888 stat(crypto_blkdev, &statbuf); 1889 *new_major = MAJOR(statbuf.st_rdev); 1890 *new_minor = MINOR(statbuf.st_rdev); 1891 1892 /* Create path to sys entry for this block device */ 1893 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1); 1894 1895 return 0; 1896} 1897 1898int cryptfs_crypto_complete(void) 1899{ 1900 return do_crypto_complete("/data"); 1901} 1902 1903int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1904{ 1905 char encrypted_state[PROPERTY_VALUE_MAX]; 1906 property_get("ro.crypto.state", encrypted_state, ""); 1907 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1908 SLOGE("encrypted fs already validated or not running with encryption," 1909 " aborting"); 1910 return -1; 1911 } 1912 1913 if (get_crypt_ftr_and_key(crypt_ftr)) { 1914 SLOGE("Error getting crypt footer and key"); 1915 return -1; 1916 } 1917 1918 return 0; 1919} 1920 1921/* 1922 * TODO - transition patterns to new format in calling code 1923 * and remove this vile hack, and the use of hex in 1924 * the password passing code. 1925 * 1926 * Patterns are passed in zero based (i.e. the top left dot 1927 * is represented by zero, the top middle one etc), but we want 1928 * to store them '1' based. 1929 * This is to allow us to migrate the calling code to use this 1930 * convention. It also solves a nasty problem whereby scrypt ignores 1931 * trailing zeros, so patterns ending at the top left could be 1932 * truncated, and similarly, you could add the top left to any 1933 * pattern and still match. 1934 * adjust_passwd is a hack function that returns the alternate representation 1935 * if the password appears to be a pattern (hex numbers all less than 09) 1936 * If it succeeds we need to try both, and in particular try the alternate 1937 * first. If the original matches, then we need to update the footer 1938 * with the alternate. 1939 * All code that accepts passwords must adjust them first. Since 1940 * cryptfs_check_passwd is always the first function called after a migration 1941 * (and indeed on any boot) we only need to do the double try in this 1942 * function. 1943 */ 1944char* adjust_passwd(const char* passwd) 1945{ 1946 size_t index, length; 1947 1948 if (!passwd) { 1949 return 0; 1950 } 1951 1952 // Check even length. Hex encoded passwords are always 1953 // an even length, since each character encodes to two characters. 1954 length = strlen(passwd); 1955 if (length % 2) { 1956 SLOGW("Password not correctly hex encoded."); 1957 return 0; 1958 } 1959 1960 // Check password is old-style pattern - a collection of hex 1961 // encoded bytes less than 9 (00 through 08) 1962 for (index = 0; index < length; index +=2) { 1963 if (passwd[index] != '0' 1964 || passwd[index + 1] < '0' || passwd[index + 1] > '8') { 1965 return 0; 1966 } 1967 } 1968 1969 // Allocate room for adjusted passwd and null terminate 1970 char* adjusted = malloc(length + 1); 1971 adjusted[length] = 0; 1972 1973 // Add 0x31 ('1') to each character 1974 for (index = 0; index < length; index += 2) { 1975 // output is 31 through 39 so set first byte to three, second to src + 1 1976 adjusted[index] = '3'; 1977 adjusted[index + 1] = passwd[index + 1] + 1; 1978 } 1979 1980 return adjusted; 1981} 1982 1983int cryptfs_check_passwd(char *passwd) 1984{ 1985 struct crypt_mnt_ftr crypt_ftr; 1986 int rc; 1987 1988 rc = check_unmounted_and_get_ftr(&crypt_ftr); 1989 if (rc) 1990 return rc; 1991 1992 char* adjusted_passwd = adjust_passwd(passwd); 1993 if (adjusted_passwd) { 1994 int failed_decrypt_count = crypt_ftr.failed_decrypt_count; 1995 rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd, 1996 DATA_MNT_POINT, "userdata"); 1997 1998 // Maybe the original one still works? 1999 if (rc) { 2000 // Don't double count this failure 2001 crypt_ftr.failed_decrypt_count = failed_decrypt_count; 2002 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2003 DATA_MNT_POINT, "userdata"); 2004 if (!rc) { 2005 // cryptfs_changepw also adjusts so pass original 2006 // Note that adjust_passwd only recognises patterns 2007 // so we can safely use CRYPT_TYPE_PATTERN 2008 SLOGI("Updating pattern to new format"); 2009 cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd); 2010 } 2011 } 2012 free(adjusted_passwd); 2013 } else { 2014 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2015 DATA_MNT_POINT, "userdata"); 2016 } 2017 2018 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2019 cryptfs_clear_password(); 2020 password = strdup(passwd); 2021 struct timespec now; 2022 clock_gettime(CLOCK_BOOTTIME, &now); 2023 password_expiry_time = now.tv_sec + password_max_age_seconds; 2024 } 2025 2026 return rc; 2027} 2028 2029int cryptfs_verify_passwd(char *passwd) 2030{ 2031 struct crypt_mnt_ftr crypt_ftr; 2032 /* Allocate enough space for a 256 bit key, but we may use less */ 2033 unsigned char decrypted_master_key[32]; 2034 char encrypted_state[PROPERTY_VALUE_MAX]; 2035 int rc; 2036 2037 property_get("ro.crypto.state", encrypted_state, ""); 2038 if (strcmp(encrypted_state, "encrypted") ) { 2039 SLOGE("device not encrypted, aborting"); 2040 return -2; 2041 } 2042 2043 if (!master_key_saved) { 2044 SLOGE("encrypted fs not yet mounted, aborting"); 2045 return -1; 2046 } 2047 2048 if (!saved_mount_point) { 2049 SLOGE("encrypted fs failed to save mount point, aborting"); 2050 return -1; 2051 } 2052 2053 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2054 SLOGE("Error getting crypt footer and key\n"); 2055 return -1; 2056 } 2057 2058 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 2059 /* If the device has no password, then just say the password is valid */ 2060 rc = 0; 2061 } else { 2062 char* adjusted_passwd = adjust_passwd(passwd); 2063 if (adjusted_passwd) { 2064 passwd = adjusted_passwd; 2065 } 2066 2067 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2068 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 2069 /* They match, the password is correct */ 2070 rc = 0; 2071 } else { 2072 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 2073 sleep(1); 2074 rc = 1; 2075 } 2076 2077 free(adjusted_passwd); 2078 } 2079 2080 return rc; 2081} 2082 2083/* Initialize a crypt_mnt_ftr structure. The keysize is 2084 * defaulted to 16 bytes, and the filesystem size to 0. 2085 * Presumably, at a minimum, the caller will update the 2086 * filesystem size and crypto_type_name after calling this function. 2087 */ 2088static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 2089{ 2090 off64_t off; 2091 2092 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 2093 ftr->magic = CRYPT_MNT_MAGIC; 2094 ftr->major_version = CURRENT_MAJOR_VERSION; 2095 ftr->minor_version = CURRENT_MINOR_VERSION; 2096 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 2097 ftr->keysize = KEY_LEN_BYTES; 2098 2099 switch (keymaster_check_compatibility()) { 2100 case 1: 2101 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2102 break; 2103 2104 case 0: 2105 ftr->kdf_type = KDF_SCRYPT; 2106 break; 2107 2108 default: 2109 SLOGE("keymaster_check_compatibility failed"); 2110 return -1; 2111 } 2112 2113 get_device_scrypt_params(ftr); 2114 2115 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2116 if (get_crypt_ftr_info(NULL, &off) == 0) { 2117 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2118 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2119 ftr->persist_data_size; 2120 } 2121 2122 return 0; 2123} 2124 2125static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2126{ 2127 const char *args[10]; 2128 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2129 int num_args; 2130 int status; 2131 int tmp; 2132 int rc = -1; 2133 2134 if (type == EXT4_FS) { 2135 args[0] = "/system/bin/make_ext4fs"; 2136 args[1] = "-a"; 2137 args[2] = "/data"; 2138 args[3] = "-l"; 2139 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2140 args[4] = size_str; 2141 args[5] = crypto_blkdev; 2142 num_args = 6; 2143 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2144 args[0], args[1], args[2], args[3], args[4], args[5]); 2145 } else if (type == F2FS_FS) { 2146 args[0] = "/system/bin/mkfs.f2fs"; 2147 args[1] = "-t"; 2148 args[2] = "-d1"; 2149 args[3] = crypto_blkdev; 2150 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2151 args[4] = size_str; 2152 num_args = 5; 2153 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2154 args[0], args[1], args[2], args[3], args[4]); 2155 } else { 2156 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2157 return -1; 2158 } 2159 2160 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2161 2162 if (tmp != 0) { 2163 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2164 } else { 2165 if (WIFEXITED(status)) { 2166 if (WEXITSTATUS(status)) { 2167 SLOGE("Error creating filesystem on %s, exit status %d ", 2168 crypto_blkdev, WEXITSTATUS(status)); 2169 } else { 2170 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2171 rc = 0; 2172 } 2173 } else { 2174 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2175 } 2176 } 2177 2178 return rc; 2179} 2180 2181#define CRYPT_INPLACE_BUFSIZE 4096 2182#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2183#define CRYPT_SECTOR_SIZE 512 2184 2185/* aligned 32K writes tends to make flash happy. 2186 * SD card association recommends it. 2187 */ 2188#define BLOCKS_AT_A_TIME 8 2189 2190struct encryptGroupsData 2191{ 2192 int realfd; 2193 int cryptofd; 2194 off64_t numblocks; 2195 off64_t one_pct, cur_pct, new_pct; 2196 off64_t blocks_already_done, tot_numblocks; 2197 off64_t used_blocks_already_done, tot_used_blocks; 2198 char* real_blkdev, * crypto_blkdev; 2199 int count; 2200 off64_t offset; 2201 char* buffer; 2202 off64_t last_written_sector; 2203 int completed; 2204 time_t time_started; 2205 int remaining_time; 2206}; 2207 2208static void update_progress(struct encryptGroupsData* data, int is_used) 2209{ 2210 data->blocks_already_done++; 2211 2212 if (is_used) { 2213 data->used_blocks_already_done++; 2214 } 2215 if (data->tot_used_blocks) { 2216 data->new_pct = data->used_blocks_already_done / data->one_pct; 2217 } else { 2218 data->new_pct = data->blocks_already_done / data->one_pct; 2219 } 2220 2221 if (data->new_pct > data->cur_pct) { 2222 char buf[8]; 2223 data->cur_pct = data->new_pct; 2224 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2225 property_set("vold.encrypt_progress", buf); 2226 } 2227 2228 if (data->cur_pct >= 5) { 2229 struct timespec time_now; 2230 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) { 2231 SLOGW("Error getting time"); 2232 } else { 2233 double elapsed_time = difftime(time_now.tv_sec, data->time_started); 2234 off64_t remaining_blocks = data->tot_used_blocks 2235 - data->used_blocks_already_done; 2236 int remaining_time = (int)(elapsed_time * remaining_blocks 2237 / data->used_blocks_already_done); 2238 2239 // Change time only if not yet set, lower, or a lot higher for 2240 // best user experience 2241 if (data->remaining_time == -1 2242 || remaining_time < data->remaining_time 2243 || remaining_time > data->remaining_time + 60) { 2244 char buf[8]; 2245 snprintf(buf, sizeof(buf), "%d", remaining_time); 2246 property_set("vold.encrypt_time_remaining", buf); 2247 data->remaining_time = remaining_time; 2248 } 2249 } 2250 } 2251} 2252 2253static void log_progress(struct encryptGroupsData const* data, bool completed) 2254{ 2255 // Precondition - if completed data = 0 else data != 0 2256 2257 // Track progress so we can skip logging blocks 2258 static off64_t offset = -1; 2259 2260 // Need to close existing 'Encrypting from' log? 2261 if (completed || (offset != -1 && data->offset != offset)) { 2262 SLOGI("Encrypted to sector %" PRId64, 2263 offset / info.block_size * CRYPT_SECTOR_SIZE); 2264 offset = -1; 2265 } 2266 2267 // Need to start new 'Encrypting from' log? 2268 if (!completed && offset != data->offset) { 2269 SLOGI("Encrypting from sector %" PRId64, 2270 data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2271 } 2272 2273 // Update offset 2274 if (!completed) { 2275 offset = data->offset + (off64_t)data->count * info.block_size; 2276 } 2277} 2278 2279static int flush_outstanding_data(struct encryptGroupsData* data) 2280{ 2281 if (data->count == 0) { 2282 return 0; 2283 } 2284 2285 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2286 2287 if (pread64(data->realfd, data->buffer, 2288 info.block_size * data->count, data->offset) 2289 <= 0) { 2290 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2291 data->real_blkdev); 2292 return -1; 2293 } 2294 2295 if (pwrite64(data->cryptofd, data->buffer, 2296 info.block_size * data->count, data->offset) 2297 <= 0) { 2298 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2299 data->crypto_blkdev); 2300 return -1; 2301 } else { 2302 log_progress(data, false); 2303 } 2304 2305 data->count = 0; 2306 data->last_written_sector = (data->offset + data->count) 2307 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2308 return 0; 2309} 2310 2311static int encrypt_groups(struct encryptGroupsData* data) 2312{ 2313 unsigned int i; 2314 u8 *block_bitmap = 0; 2315 unsigned int block; 2316 off64_t ret; 2317 int rc = -1; 2318 2319 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2320 if (!data->buffer) { 2321 SLOGE("Failed to allocate crypto buffer"); 2322 goto errout; 2323 } 2324 2325 block_bitmap = malloc(info.block_size); 2326 if (!block_bitmap) { 2327 SLOGE("failed to allocate block bitmap"); 2328 goto errout; 2329 } 2330 2331 for (i = 0; i < aux_info.groups; ++i) { 2332 SLOGI("Encrypting group %d", i); 2333 2334 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2335 u32 block_count = min(info.blocks_per_group, 2336 aux_info.len_blocks - first_block); 2337 2338 off64_t offset = (u64)info.block_size 2339 * aux_info.bg_desc[i].bg_block_bitmap; 2340 2341 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2342 if (ret != (int)info.block_size) { 2343 SLOGE("failed to read all of block group bitmap %d", i); 2344 goto errout; 2345 } 2346 2347 offset = (u64)info.block_size * first_block; 2348 2349 data->count = 0; 2350 2351 for (block = 0; block < block_count; block++) { 2352 int used = bitmap_get_bit(block_bitmap, block); 2353 update_progress(data, used); 2354 if (used) { 2355 if (data->count == 0) { 2356 data->offset = offset; 2357 } 2358 data->count++; 2359 } else { 2360 if (flush_outstanding_data(data)) { 2361 goto errout; 2362 } 2363 } 2364 2365 offset += info.block_size; 2366 2367 /* Write data if we are aligned or buffer size reached */ 2368 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2369 || data->count == BLOCKS_AT_A_TIME) { 2370 if (flush_outstanding_data(data)) { 2371 goto errout; 2372 } 2373 } 2374 2375 if (!is_battery_ok_to_continue()) { 2376 SLOGE("Stopping encryption due to low battery"); 2377 rc = 0; 2378 goto errout; 2379 } 2380 2381 } 2382 if (flush_outstanding_data(data)) { 2383 goto errout; 2384 } 2385 } 2386 2387 data->completed = 1; 2388 rc = 0; 2389 2390errout: 2391 log_progress(0, true); 2392 free(data->buffer); 2393 free(block_bitmap); 2394 return rc; 2395} 2396 2397static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2398 char *real_blkdev, 2399 off64_t size, 2400 off64_t *size_already_done, 2401 off64_t tot_size, 2402 off64_t previously_encrypted_upto) 2403{ 2404 u32 i; 2405 struct encryptGroupsData data; 2406 int rc; // Can't initialize without causing warning -Wclobbered 2407 2408 if (previously_encrypted_upto > *size_already_done) { 2409 SLOGD("Not fast encrypting since resuming part way through"); 2410 return -1; 2411 } 2412 2413 memset(&data, 0, sizeof(data)); 2414 data.real_blkdev = real_blkdev; 2415 data.crypto_blkdev = crypto_blkdev; 2416 2417 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) { 2418 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n", 2419 real_blkdev, errno, strerror(errno)); 2420 rc = -1; 2421 goto errout; 2422 } 2423 2424 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2425 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n", 2426 crypto_blkdev, errno, strerror(errno)); 2427 rc = ENABLE_INPLACE_ERR_DEV; 2428 goto errout; 2429 } 2430 2431 if (setjmp(setjmp_env)) { 2432 SLOGE("Reading ext4 extent caused an exception\n"); 2433 rc = -1; 2434 goto errout; 2435 } 2436 2437 if (read_ext(data.realfd, 0) != 0) { 2438 SLOGE("Failed to read ext4 extent\n"); 2439 rc = -1; 2440 goto errout; 2441 } 2442 2443 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2444 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2445 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2446 2447 SLOGI("Encrypting ext4 filesystem in place..."); 2448 2449 data.tot_used_blocks = data.numblocks; 2450 for (i = 0; i < aux_info.groups; ++i) { 2451 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2452 } 2453 2454 data.one_pct = data.tot_used_blocks / 100; 2455 data.cur_pct = 0; 2456 2457 struct timespec time_started = {0}; 2458 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) { 2459 SLOGW("Error getting time at start"); 2460 // Note - continue anyway - we'll run with 0 2461 } 2462 data.time_started = time_started.tv_sec; 2463 data.remaining_time = -1; 2464 2465 rc = encrypt_groups(&data); 2466 if (rc) { 2467 SLOGE("Error encrypting groups"); 2468 goto errout; 2469 } 2470 2471 *size_already_done += data.completed ? size : data.last_written_sector; 2472 rc = 0; 2473 2474errout: 2475 close(data.realfd); 2476 close(data.cryptofd); 2477 2478 return rc; 2479} 2480 2481static void log_progress_f2fs(u64 block, bool completed) 2482{ 2483 // Precondition - if completed data = 0 else data != 0 2484 2485 // Track progress so we can skip logging blocks 2486 static u64 last_block = (u64)-1; 2487 2488 // Need to close existing 'Encrypting from' log? 2489 if (completed || (last_block != (u64)-1 && block != last_block + 1)) { 2490 SLOGI("Encrypted to block %" PRId64, last_block); 2491 last_block = -1; 2492 } 2493 2494 // Need to start new 'Encrypting from' log? 2495 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) { 2496 SLOGI("Encrypting from block %" PRId64, block); 2497 } 2498 2499 // Update offset 2500 if (!completed) { 2501 last_block = block; 2502 } 2503} 2504 2505static int encrypt_one_block_f2fs(u64 pos, void *data) 2506{ 2507 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2508 2509 priv_dat->blocks_already_done = pos - 1; 2510 update_progress(priv_dat, 1); 2511 2512 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2513 2514 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2515 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2516 return -1; 2517 } 2518 2519 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2520 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2521 return -1; 2522 } else { 2523 log_progress_f2fs(pos, false); 2524 } 2525 2526 return 0; 2527} 2528 2529static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2530 char *real_blkdev, 2531 off64_t size, 2532 off64_t *size_already_done, 2533 off64_t tot_size, 2534 off64_t previously_encrypted_upto) 2535{ 2536 struct encryptGroupsData data; 2537 struct f2fs_info *f2fs_info = NULL; 2538 int rc = ENABLE_INPLACE_ERR_OTHER; 2539 if (previously_encrypted_upto > *size_already_done) { 2540 SLOGD("Not fast encrypting since resuming part way through"); 2541 return ENABLE_INPLACE_ERR_OTHER; 2542 } 2543 memset(&data, 0, sizeof(data)); 2544 data.real_blkdev = real_blkdev; 2545 data.crypto_blkdev = crypto_blkdev; 2546 data.realfd = -1; 2547 data.cryptofd = -1; 2548 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) { 2549 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n", 2550 real_blkdev); 2551 goto errout; 2552 } 2553 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) { 2554 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n", 2555 crypto_blkdev, errno, strerror(errno)); 2556 rc = ENABLE_INPLACE_ERR_DEV; 2557 goto errout; 2558 } 2559 2560 f2fs_info = generate_f2fs_info(data.realfd); 2561 if (!f2fs_info) 2562 goto errout; 2563 2564 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2565 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2566 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2567 2568 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2569 2570 data.one_pct = data.tot_used_blocks / 100; 2571 data.cur_pct = 0; 2572 data.time_started = time(NULL); 2573 data.remaining_time = -1; 2574 2575 data.buffer = malloc(f2fs_info->block_size); 2576 if (!data.buffer) { 2577 SLOGE("Failed to allocate crypto buffer"); 2578 goto errout; 2579 } 2580 2581 data.count = 0; 2582 2583 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2584 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2585 2586 if (rc) { 2587 SLOGE("Error in running over f2fs blocks"); 2588 rc = ENABLE_INPLACE_ERR_OTHER; 2589 goto errout; 2590 } 2591 2592 *size_already_done += size; 2593 rc = 0; 2594 2595errout: 2596 if (rc) 2597 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2598 2599 log_progress_f2fs(0, true); 2600 free(f2fs_info); 2601 free(data.buffer); 2602 close(data.realfd); 2603 close(data.cryptofd); 2604 2605 return rc; 2606} 2607 2608static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2609 off64_t size, off64_t *size_already_done, 2610 off64_t tot_size, 2611 off64_t previously_encrypted_upto) 2612{ 2613 int realfd, cryptofd; 2614 char *buf[CRYPT_INPLACE_BUFSIZE]; 2615 int rc = ENABLE_INPLACE_ERR_OTHER; 2616 off64_t numblocks, i, remainder; 2617 off64_t one_pct, cur_pct, new_pct; 2618 off64_t blocks_already_done, tot_numblocks; 2619 2620 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) { 2621 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2622 return ENABLE_INPLACE_ERR_OTHER; 2623 } 2624 2625 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2626 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n", 2627 crypto_blkdev, errno, strerror(errno)); 2628 close(realfd); 2629 return ENABLE_INPLACE_ERR_DEV; 2630 } 2631 2632 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2633 * The size passed in is the number of 512 byte sectors in the filesystem. 2634 * So compute the number of whole 4K blocks we should read/write, 2635 * and the remainder. 2636 */ 2637 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2638 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2639 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2640 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2641 2642 SLOGE("Encrypting filesystem in place..."); 2643 2644 i = previously_encrypted_upto + 1 - *size_already_done; 2645 2646 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2647 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2648 goto errout; 2649 } 2650 2651 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2652 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2653 goto errout; 2654 } 2655 2656 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2657 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2658 SLOGE("Error reading initial sectors from real_blkdev %s for " 2659 "inplace encrypt\n", crypto_blkdev); 2660 goto errout; 2661 } 2662 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2663 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2664 "inplace encrypt\n", crypto_blkdev); 2665 goto errout; 2666 } else { 2667 SLOGI("Encrypted 1 block at %" PRId64, i); 2668 } 2669 } 2670 2671 one_pct = tot_numblocks / 100; 2672 cur_pct = 0; 2673 /* process the majority of the filesystem in blocks */ 2674 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2675 new_pct = (i + blocks_already_done) / one_pct; 2676 if (new_pct > cur_pct) { 2677 char buf[8]; 2678 2679 cur_pct = new_pct; 2680 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2681 property_set("vold.encrypt_progress", buf); 2682 } 2683 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2684 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2685 goto errout; 2686 } 2687 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2688 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2689 goto errout; 2690 } else { 2691 SLOGD("Encrypted %d block at %" PRId64, 2692 CRYPT_SECTORS_PER_BUFSIZE, 2693 i * CRYPT_SECTORS_PER_BUFSIZE); 2694 } 2695 2696 if (!is_battery_ok_to_continue()) { 2697 SLOGE("Stopping encryption due to low battery"); 2698 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2699 rc = 0; 2700 goto errout; 2701 } 2702 } 2703 2704 /* Do any remaining sectors */ 2705 for (i=0; i<remainder; i++) { 2706 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2707 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2708 goto errout; 2709 } 2710 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2711 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2712 goto errout; 2713 } else { 2714 SLOGI("Encrypted 1 block at next location"); 2715 } 2716 } 2717 2718 *size_already_done += size; 2719 rc = 0; 2720 2721errout: 2722 close(realfd); 2723 close(cryptofd); 2724 2725 return rc; 2726} 2727 2728/* returns on of the ENABLE_INPLACE_* return codes */ 2729static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2730 off64_t size, off64_t *size_already_done, 2731 off64_t tot_size, 2732 off64_t previously_encrypted_upto) 2733{ 2734 int rc_ext4, rc_f2fs, rc_full; 2735 if (previously_encrypted_upto) { 2736 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2737 } 2738 2739 if (*size_already_done + size < previously_encrypted_upto) { 2740 *size_already_done += size; 2741 return 0; 2742 } 2743 2744 /* TODO: identify filesystem type. 2745 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2746 * then we will drop down to cryptfs_enable_inplace_f2fs. 2747 * */ 2748 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2749 size, size_already_done, 2750 tot_size, previously_encrypted_upto)) == 0) { 2751 return 0; 2752 } 2753 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4); 2754 2755 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2756 size, size_already_done, 2757 tot_size, previously_encrypted_upto)) == 0) { 2758 return 0; 2759 } 2760 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs); 2761 2762 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2763 size, size_already_done, tot_size, 2764 previously_encrypted_upto); 2765 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full); 2766 2767 /* Hack for b/17898962, the following is the symptom... */ 2768 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV 2769 && rc_f2fs == ENABLE_INPLACE_ERR_DEV 2770 && rc_full == ENABLE_INPLACE_ERR_DEV) { 2771 return ENABLE_INPLACE_ERR_DEV; 2772 } 2773 return rc_full; 2774} 2775 2776#define CRYPTO_ENABLE_WIPE 1 2777#define CRYPTO_ENABLE_INPLACE 2 2778 2779#define FRAMEWORK_BOOT_WAIT 60 2780 2781static inline int should_encrypt(struct volume_info *volume) 2782{ 2783 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) == 2784 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE); 2785} 2786 2787static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2788{ 2789 int fd = open(filename, O_RDONLY); 2790 if (fd == -1) { 2791 SLOGE("Error opening file %s", filename); 2792 return -1; 2793 } 2794 2795 char block[CRYPT_INPLACE_BUFSIZE]; 2796 memset(block, 0, sizeof(block)); 2797 if (unix_read(fd, block, sizeof(block)) < 0) { 2798 SLOGE("Error reading file %s", filename); 2799 close(fd); 2800 return -1; 2801 } 2802 2803 close(fd); 2804 2805 SHA256_CTX c; 2806 SHA256_Init(&c); 2807 SHA256_Update(&c, block, sizeof(block)); 2808 SHA256_Final(buf, &c); 2809 2810 return 0; 2811} 2812 2813static int get_fs_type(struct fstab_rec *rec) 2814{ 2815 if (!strcmp(rec->fs_type, "ext4")) { 2816 return EXT4_FS; 2817 } else if (!strcmp(rec->fs_type, "f2fs")) { 2818 return F2FS_FS; 2819 } else { 2820 return -1; 2821 } 2822} 2823 2824static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2825 char *crypto_blkdev, char *real_blkdev, 2826 int previously_encrypted_upto) 2827{ 2828 off64_t cur_encryption_done=0, tot_encryption_size=0; 2829 int rc = -1; 2830 2831 if (!is_battery_ok_to_start()) { 2832 SLOGW("Not starting encryption due to low battery"); 2833 return 0; 2834 } 2835 2836 /* The size of the userdata partition, and add in the vold volumes below */ 2837 tot_encryption_size = crypt_ftr->fs_size; 2838 2839 if (how == CRYPTO_ENABLE_WIPE) { 2840 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2841 int fs_type = get_fs_type(rec); 2842 if (fs_type < 0) { 2843 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2844 return -1; 2845 } 2846 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2847 } else if (how == CRYPTO_ENABLE_INPLACE) { 2848 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2849 crypt_ftr->fs_size, &cur_encryption_done, 2850 tot_encryption_size, 2851 previously_encrypted_upto); 2852 2853 if (rc == ENABLE_INPLACE_ERR_DEV) { 2854 /* Hack for b/17898962 */ 2855 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2856 cryptfs_reboot(reboot); 2857 } 2858 2859 if (!rc) { 2860 crypt_ftr->encrypted_upto = cur_encryption_done; 2861 } 2862 2863 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2864 /* The inplace routine never actually sets the progress to 100% due 2865 * to the round down nature of integer division, so set it here */ 2866 property_set("vold.encrypt_progress", "100"); 2867 } 2868 } else { 2869 /* Shouldn't happen */ 2870 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2871 rc = -1; 2872 } 2873 2874 return rc; 2875} 2876 2877int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2878 int allow_reboot) 2879{ 2880 int how = 0; 2881 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2882 unsigned long nr_sec; 2883 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2884 int rc=-1, fd, i; 2885 struct crypt_mnt_ftr crypt_ftr; 2886 struct crypt_persist_data *pdata; 2887 char encrypted_state[PROPERTY_VALUE_MAX]; 2888 char lockid[32] = { 0 }; 2889 char key_loc[PROPERTY_VALUE_MAX]; 2890 char fuse_sdcard[PROPERTY_VALUE_MAX]; 2891 char *sd_mnt_point; 2892 int num_vols; 2893 struct volume_info *vol_list = 0; 2894 off64_t previously_encrypted_upto = 0; 2895 2896 if (!strcmp(howarg, "wipe")) { 2897 how = CRYPTO_ENABLE_WIPE; 2898 } else if (! strcmp(howarg, "inplace")) { 2899 how = CRYPTO_ENABLE_INPLACE; 2900 } else { 2901 /* Shouldn't happen, as CommandListener vets the args */ 2902 goto error_unencrypted; 2903 } 2904 2905 /* See if an encryption was underway and interrupted */ 2906 if (how == CRYPTO_ENABLE_INPLACE 2907 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2908 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2909 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2910 crypt_ftr.encrypted_upto = 0; 2911 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2912 2913 /* At this point, we are in an inconsistent state. Until we successfully 2914 complete encryption, a reboot will leave us broken. So mark the 2915 encryption failed in case that happens. 2916 On successfully completing encryption, remove this flag */ 2917 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2918 2919 put_crypt_ftr_and_key(&crypt_ftr); 2920 } 2921 2922 property_get("ro.crypto.state", encrypted_state, ""); 2923 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2924 SLOGE("Device is already running encrypted, aborting"); 2925 goto error_unencrypted; 2926 } 2927 2928 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2929 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2930 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2931 2932 /* Get the size of the real block device */ 2933 fd = open(real_blkdev, O_RDONLY); 2934 if ( (nr_sec = get_blkdev_size(fd)) == 0) { 2935 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2936 goto error_unencrypted; 2937 } 2938 close(fd); 2939 2940 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2941 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2942 unsigned int fs_size_sec, max_fs_size_sec; 2943 fs_size_sec = get_fs_size(real_blkdev); 2944 if (fs_size_sec == 0) 2945 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2946 2947 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2948 2949 if (fs_size_sec > max_fs_size_sec) { 2950 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2951 goto error_unencrypted; 2952 } 2953 } 2954 2955 /* Get a wakelock as this may take a while, and we don't want the 2956 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2957 * wants to keep the screen on, it can grab a full wakelock. 2958 */ 2959 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2960 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2961 2962 /* Get the sdcard mount point */ 2963 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE"); 2964 if (!sd_mnt_point) { 2965 sd_mnt_point = getenv("EXTERNAL_STORAGE"); 2966 } 2967 if (!sd_mnt_point) { 2968 sd_mnt_point = "/mnt/sdcard"; 2969 } 2970 2971 /* TODO 2972 * Currently do not have test devices with multiple encryptable volumes. 2973 * When we acquire some, re-add support. 2974 */ 2975 num_vols=vold_getNumDirectVolumes(); 2976 vol_list = malloc(sizeof(struct volume_info) * num_vols); 2977 vold_getDirectVolumeList(vol_list); 2978 2979 for (i=0; i<num_vols; i++) { 2980 if (should_encrypt(&vol_list[i])) { 2981 SLOGE("Cannot encrypt if there are multiple encryptable volumes" 2982 "%s\n", vol_list[i].label); 2983 goto error_unencrypted; 2984 } 2985 } 2986 2987 /* The init files are setup to stop the class main and late start when 2988 * vold sets trigger_shutdown_framework. 2989 */ 2990 property_set("vold.decrypt", "trigger_shutdown_framework"); 2991 SLOGD("Just asked init to shut down class main\n"); 2992 2993 if (vold_unmountAllAsecs()) { 2994 /* Just report the error. If any are left mounted, 2995 * umounting /data below will fail and handle the error. 2996 */ 2997 SLOGE("Error unmounting internal asecs"); 2998 } 2999 3000 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, ""); 3001 if (!strcmp(fuse_sdcard, "true")) { 3002 /* This is a device using the fuse layer to emulate the sdcard semantics 3003 * on top of the userdata partition. vold does not manage it, it is managed 3004 * by the sdcard service. The sdcard service was killed by the property trigger 3005 * above, so just unmount it now. We must do this _AFTER_ killing the framework, 3006 * unlike the case for vold managed devices above. 3007 */ 3008 if (wait_and_unmount(sd_mnt_point, false)) { 3009 goto error_shutting_down; 3010 } 3011 } 3012 3013 /* Now unmount the /data partition. */ 3014 if (wait_and_unmount(DATA_MNT_POINT, false)) { 3015 if (allow_reboot) { 3016 goto error_shutting_down; 3017 } else { 3018 goto error_unencrypted; 3019 } 3020 } 3021 3022 /* Do extra work for a better UX when doing the long inplace encryption */ 3023 if (how == CRYPTO_ENABLE_INPLACE) { 3024 /* Now that /data is unmounted, we need to mount a tmpfs 3025 * /data, set a property saying we're doing inplace encryption, 3026 * and restart the framework. 3027 */ 3028 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 3029 goto error_shutting_down; 3030 } 3031 /* Tells the framework that inplace encryption is starting */ 3032 property_set("vold.encrypt_progress", "0"); 3033 3034 /* restart the framework. */ 3035 /* Create necessary paths on /data */ 3036 if (prep_data_fs()) { 3037 goto error_shutting_down; 3038 } 3039 3040 /* Ugh, shutting down the framework is not synchronous, so until it 3041 * can be fixed, this horrible hack will wait a moment for it all to 3042 * shut down before proceeding. Without it, some devices cannot 3043 * restart the graphics services. 3044 */ 3045 sleep(2); 3046 3047 /* startup service classes main and late_start */ 3048 property_set("vold.decrypt", "trigger_restart_min_framework"); 3049 SLOGD("Just triggered restart_min_framework\n"); 3050 3051 /* OK, the framework is restarted and will soon be showing a 3052 * progress bar. Time to setup an encrypted mapping, and 3053 * either write a new filesystem, or encrypt in place updating 3054 * the progress bar as we work. 3055 */ 3056 } 3057 3058 /* Start the actual work of making an encrypted filesystem */ 3059 /* Initialize a crypt_mnt_ftr for the partition */ 3060 if (previously_encrypted_upto == 0) { 3061 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 3062 goto error_shutting_down; 3063 } 3064 3065 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 3066 crypt_ftr.fs_size = nr_sec 3067 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3068 } else { 3069 crypt_ftr.fs_size = nr_sec; 3070 } 3071 /* At this point, we are in an inconsistent state. Until we successfully 3072 complete encryption, a reboot will leave us broken. So mark the 3073 encryption failed in case that happens. 3074 On successfully completing encryption, remove this flag */ 3075 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 3076 crypt_ftr.crypt_type = crypt_type; 3077 strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256"); 3078 3079 /* Make an encrypted master key */ 3080 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 3081 SLOGE("Cannot create encrypted master key\n"); 3082 goto error_shutting_down; 3083 } 3084 3085 /* Write the key to the end of the partition */ 3086 put_crypt_ftr_and_key(&crypt_ftr); 3087 3088 /* If any persistent data has been remembered, save it. 3089 * If none, create a valid empty table and save that. 3090 */ 3091 if (!persist_data) { 3092 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 3093 if (pdata) { 3094 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 3095 persist_data = pdata; 3096 } 3097 } 3098 if (persist_data) { 3099 save_persistent_data(); 3100 } 3101 } 3102 3103 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 3104 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 3105 "userdata"); 3106 3107 /* If we are continuing, check checksums match */ 3108 rc = 0; 3109 if (previously_encrypted_upto) { 3110 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 3111 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 3112 3113 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 3114 sizeof(hash_first_block)) != 0) { 3115 SLOGE("Checksums do not match - trigger wipe"); 3116 rc = -1; 3117 } 3118 } 3119 3120 if (!rc) { 3121 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 3122 crypto_blkdev, real_blkdev, 3123 previously_encrypted_upto); 3124 } 3125 3126 /* Calculate checksum if we are not finished */ 3127 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3128 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 3129 crypt_ftr.hash_first_block); 3130 if (rc) { 3131 SLOGE("Error calculating checksum for continuing encryption"); 3132 rc = -1; 3133 } 3134 } 3135 3136 /* Undo the dm-crypt mapping whether we succeed or not */ 3137 delete_crypto_blk_dev("userdata"); 3138 3139 free(vol_list); 3140 3141 if (! rc) { 3142 /* Success */ 3143 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 3144 3145 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3146 SLOGD("Encrypted up to sector %lld - will continue after reboot", 3147 crypt_ftr.encrypted_upto); 3148 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 3149 } 3150 3151 put_crypt_ftr_and_key(&crypt_ftr); 3152 3153 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 3154 char value[PROPERTY_VALUE_MAX]; 3155 property_get("ro.crypto.state", value, ""); 3156 if (!strcmp(value, "")) { 3157 /* default encryption - continue first boot sequence */ 3158 property_set("ro.crypto.state", "encrypted"); 3159 release_wake_lock(lockid); 3160 cryptfs_check_passwd(DEFAULT_PASSWORD); 3161 cryptfs_restart_internal(1); 3162 return 0; 3163 } else { 3164 sleep(2); /* Give the UI a chance to show 100% progress */ 3165 cryptfs_reboot(reboot); 3166 } 3167 } else { 3168 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 3169 cryptfs_reboot(shutdown); 3170 } 3171 } else { 3172 char value[PROPERTY_VALUE_MAX]; 3173 3174 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 3175 if (!strcmp(value, "1")) { 3176 /* wipe data if encryption failed */ 3177 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 3178 mkdir("/cache/recovery", 0700); 3179 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600); 3180 if (fd >= 0) { 3181 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1); 3182 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1); 3183 close(fd); 3184 } else { 3185 SLOGE("could not open /cache/recovery/command\n"); 3186 } 3187 cryptfs_reboot(recovery); 3188 } else { 3189 /* set property to trigger dialog */ 3190 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3191 release_wake_lock(lockid); 3192 } 3193 return -1; 3194 } 3195 3196 /* hrm, the encrypt step claims success, but the reboot failed. 3197 * This should not happen. 3198 * Set the property and return. Hope the framework can deal with it. 3199 */ 3200 property_set("vold.encrypt_progress", "error_reboot_failed"); 3201 release_wake_lock(lockid); 3202 return rc; 3203 3204error_unencrypted: 3205 free(vol_list); 3206 property_set("vold.encrypt_progress", "error_not_encrypted"); 3207 if (lockid[0]) { 3208 release_wake_lock(lockid); 3209 } 3210 return -1; 3211 3212error_shutting_down: 3213 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3214 * but the framework is stopped and not restarted to show the error, so it's up to 3215 * vold to restart the system. 3216 */ 3217 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3218 cryptfs_reboot(reboot); 3219 3220 /* shouldn't get here */ 3221 property_set("vold.encrypt_progress", "error_shutting_down"); 3222 free(vol_list); 3223 if (lockid[0]) { 3224 release_wake_lock(lockid); 3225 } 3226 return -1; 3227} 3228 3229int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 3230{ 3231 char* adjusted_passwd = adjust_passwd(passwd); 3232 if (adjusted_passwd) { 3233 passwd = adjusted_passwd; 3234 } 3235 3236 int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 3237 3238 free(adjusted_passwd); 3239 return rc; 3240} 3241 3242int cryptfs_enable_default(char *howarg, int allow_reboot) 3243{ 3244 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3245 DEFAULT_PASSWORD, allow_reboot); 3246} 3247 3248static int device_is_force_encrypted() { 3249 int ret = -1; 3250 char value[PROP_VALUE_MAX]; 3251 ret = __system_property_get("ro.vold.forceencryption", value); 3252 if (ret < 0) 3253 return 0; 3254 return strcmp(value, "1") ? 0 : 1; 3255} 3256 3257int cryptfs_maybe_enable_default_crypto() 3258{ 3259 // Enable default crypt if /forceencrypt or /encryptable and 3260 // ro.vold.forceencrypt=1, else mount data and continue unencrypted 3261 struct fstab_rec *fstab_rec = 0; 3262 fstab_rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 3263 if (!fstab_rec) { 3264 SLOGE("Error getting fstab record"); 3265 return -1; 3266 } 3267 3268 // See if we should encrypt? 3269 if ( !fs_mgr_is_encryptable(fstab_rec) 3270 || (!fs_mgr_is_force_encrypted(fstab_rec) 3271 && !device_is_force_encrypted())) { 3272 int rc = 0; 3273 3274 rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, fstab_rec->blk_device, 0); 3275 property_set("vold.decrypt", "trigger_load_persist_props"); 3276 3277 /* Create necessary paths on /data */ 3278 if (prep_data_fs()) { 3279 return -1; 3280 } 3281 3282 property_set("ro.crypto.state", "unencrypted"); 3283 property_set("vold.decrypt", "trigger_restart_framework"); 3284 SLOGD("Unencrypted - restart_framework\n"); 3285 return rc; 3286 } 3287 3288 return cryptfs_enable_default("inplace", 0); 3289} 3290 3291int cryptfs_changepw(int crypt_type, const char *newpw) 3292{ 3293 struct crypt_mnt_ftr crypt_ftr; 3294 3295 /* This is only allowed after we've successfully decrypted the master key */ 3296 if (!master_key_saved) { 3297 SLOGE("Key not saved, aborting"); 3298 return -1; 3299 } 3300 3301 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3302 SLOGE("Invalid crypt_type %d", crypt_type); 3303 return -1; 3304 } 3305 3306 /* get key */ 3307 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3308 SLOGE("Error getting crypt footer and key"); 3309 return -1; 3310 } 3311 3312 crypt_ftr.crypt_type = crypt_type; 3313 3314 char* adjusted_passwd = adjust_passwd(newpw); 3315 if (adjusted_passwd) { 3316 newpw = adjusted_passwd; 3317 } 3318 3319 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3320 : newpw, 3321 crypt_ftr.salt, 3322 saved_master_key, 3323 crypt_ftr.master_key, 3324 &crypt_ftr); 3325 3326 /* save the key */ 3327 put_crypt_ftr_and_key(&crypt_ftr); 3328 3329 free(adjusted_passwd); 3330 return 0; 3331} 3332 3333static int persist_get_key(char *fieldname, char *value) 3334{ 3335 unsigned int i; 3336 3337 if (persist_data == NULL) { 3338 return -1; 3339 } 3340 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3341 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3342 /* We found it! */ 3343 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3344 return 0; 3345 } 3346 } 3347 3348 return -1; 3349} 3350 3351static int persist_set_key(char *fieldname, char *value, int encrypted) 3352{ 3353 unsigned int i; 3354 unsigned int num; 3355 struct crypt_mnt_ftr crypt_ftr; 3356 unsigned int max_persistent_entries; 3357 unsigned int dsize; 3358 3359 if (persist_data == NULL) { 3360 return -1; 3361 } 3362 3363 /* If encrypted, use the values from the crypt_ftr, otherwise 3364 * use the values for the current spec. 3365 */ 3366 if (encrypted) { 3367 if(get_crypt_ftr_and_key(&crypt_ftr)) { 3368 return -1; 3369 } 3370 dsize = crypt_ftr.persist_data_size; 3371 } else { 3372 dsize = CRYPT_PERSIST_DATA_SIZE; 3373 } 3374 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3375 sizeof(struct crypt_persist_entry); 3376 3377 num = persist_data->persist_valid_entries; 3378 3379 for (i = 0; i < num; i++) { 3380 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3381 /* We found an existing entry, update it! */ 3382 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3383 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3384 return 0; 3385 } 3386 } 3387 3388 /* We didn't find it, add it to the end, if there is room */ 3389 if (persist_data->persist_valid_entries < max_persistent_entries) { 3390 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3391 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3392 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3393 persist_data->persist_valid_entries++; 3394 return 0; 3395 } 3396 3397 return -1; 3398} 3399 3400/* Return the value of the specified field. */ 3401int cryptfs_getfield(char *fieldname, char *value, int len) 3402{ 3403 char temp_value[PROPERTY_VALUE_MAX]; 3404 /* 0 is success, 1 is not encrypted, 3405 * -1 is value not set, -2 is any other error 3406 */ 3407 int rc = -2; 3408 3409 if (persist_data == NULL) { 3410 load_persistent_data(); 3411 if (persist_data == NULL) { 3412 SLOGE("Getfield error, cannot load persistent data"); 3413 goto out; 3414 } 3415 } 3416 3417 if (!persist_get_key(fieldname, temp_value)) { 3418 /* We found it, copy it to the caller's buffer and return */ 3419 strlcpy(value, temp_value, len); 3420 rc = 0; 3421 } else { 3422 /* Sadness, it's not there. Return the error */ 3423 rc = -1; 3424 } 3425 3426out: 3427 return rc; 3428} 3429 3430/* Set the value of the specified field. */ 3431int cryptfs_setfield(char *fieldname, char *value) 3432{ 3433 char encrypted_state[PROPERTY_VALUE_MAX]; 3434 /* 0 is success, -1 is an error */ 3435 int rc = -1; 3436 int encrypted = 0; 3437 3438 if (persist_data == NULL) { 3439 load_persistent_data(); 3440 if (persist_data == NULL) { 3441 SLOGE("Setfield error, cannot load persistent data"); 3442 goto out; 3443 } 3444 } 3445 3446 property_get("ro.crypto.state", encrypted_state, ""); 3447 if (!strcmp(encrypted_state, "encrypted") ) { 3448 encrypted = 1; 3449 } 3450 3451 if (persist_set_key(fieldname, value, encrypted)) { 3452 goto out; 3453 } 3454 3455 /* If we are running encrypted, save the persistent data now */ 3456 if (encrypted) { 3457 if (save_persistent_data()) { 3458 SLOGE("Setfield error, cannot save persistent data"); 3459 goto out; 3460 } 3461 } 3462 3463 rc = 0; 3464 3465out: 3466 return rc; 3467} 3468 3469/* Checks userdata. Attempt to mount the volume if default- 3470 * encrypted. 3471 * On success trigger next init phase and return 0. 3472 * Currently do not handle failure - see TODO below. 3473 */ 3474int cryptfs_mount_default_encrypted(void) 3475{ 3476 char decrypt_state[PROPERTY_VALUE_MAX]; 3477 property_get("vold.decrypt", decrypt_state, "0"); 3478 if (!strcmp(decrypt_state, "0")) { 3479 SLOGE("Not encrypted - should not call here"); 3480 } else { 3481 int crypt_type = cryptfs_get_password_type(); 3482 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3483 SLOGE("Bad crypt type - error"); 3484 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3485 SLOGD("Password is not default - " 3486 "starting min framework to prompt"); 3487 property_set("vold.decrypt", "trigger_restart_min_framework"); 3488 return 0; 3489 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3490 SLOGD("Password is default - restarting filesystem"); 3491 cryptfs_restart_internal(0); 3492 return 0; 3493 } else { 3494 SLOGE("Encrypted, default crypt type but can't decrypt"); 3495 } 3496 } 3497 3498 /** Corrupt. Allow us to boot into framework, which will detect bad 3499 crypto when it calls do_crypto_complete, then do a factory reset 3500 */ 3501 property_set("vold.decrypt", "trigger_restart_min_framework"); 3502 return 0; 3503} 3504 3505/* Returns type of the password, default, pattern, pin or password. 3506 */ 3507int cryptfs_get_password_type(void) 3508{ 3509 struct crypt_mnt_ftr crypt_ftr; 3510 3511 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3512 SLOGE("Error getting crypt footer and key\n"); 3513 return -1; 3514 } 3515 3516 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3517 return -1; 3518 } 3519 3520 return crypt_ftr.crypt_type; 3521} 3522 3523char* cryptfs_get_password() 3524{ 3525 struct timespec now; 3526 clock_gettime(CLOCK_MONOTONIC, &now); 3527 if (now.tv_sec < password_expiry_time) { 3528 return password; 3529 } else { 3530 cryptfs_clear_password(); 3531 return 0; 3532 } 3533} 3534 3535void cryptfs_clear_password() 3536{ 3537 if (password) { 3538 size_t len = strlen(password); 3539 memset(password, 0, len); 3540 free(password); 3541 password = 0; 3542 password_expiry_time = 0; 3543 } 3544} 3545